iCMS
CVE-2025-15394
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Code injection in iCMS up to version 8.0.0 allows remote attackers with high privileges to inject arbitrary code via the config POST parameter in the ConfigAdmincp.php component. The vulnerability affects the Save function's parameter handling and has publicly available exploit code, though the extremely low CVSS score (2.0) reflects the requirement for high-privileged authenticated access, limiting real-world risk despite public exploit availability.
Technical ContextAI
iCMS is a PHP-based content management system. The vulnerability resides in app/config/ConfigAdmincp.php, specifically in the Save function that processes POST parameters. The config parameter is improperly validated before use, allowing injection of arbitrary code. This is a classic code injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')) where user-controlled input flows directly into code execution contexts without proper sanitization or parameterization. The POST Parameter Handler component processes incoming configuration data without adequate input filtering.
RemediationAI
No vendor-released patch identified at time of analysis. The vendor did not respond to early disclosure attempts. Immediate remediation requires upgrading to a version newer than 8.0.0 if available from alternative sources, or switching to an actively maintained CMS alternative. As an interim compensating control, restrict administrative access to the ConfigAdmincp.php component to only trusted internal networks or IP ranges using web server access controls (e.g., .htaccess or web application firewall rules), and audit all administrative user accounts for unauthorized activity. Disable direct POST access to the config parameter if the application permits configuration via alternative methods (API, database, file-based config). Monitor application logs for suspicious config parameter submissions containing code patterns (parentheses, function names, shell operators). These controls reduce exploitation likelihood but do not eliminate the underlying code injection flaw.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today