ZwiiCMS
CVE-2025-57130
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable with a low-privilege account (PR:L) and no interaction; overwriting admin profile yields full account takeover, so C/I/A all High and AC:L.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.
AnalysisAI
Privilege escalation in ZwiiCMS content management system (versions up to and including v13.6.07) allows a low-privilege authenticated user to read and overwrite the profile data of any other account, including administrators, by manipulating a crafted HTTP request to the user management component. Because an attacker can rewrite an administrator's credentials, this effectively yields full administrative takeover of the CMS. EPSS is low (0.23%, 46th percentile) and there is no public exploit identified at time of analysis, so risk is elevated primarily by the low attack complexity rather than by evidence of in-the-wild use.
Technical ContextAI
ZwiiCMS is a lightweight, flat-file (database-free) PHP content management system aimed at building small websites. The flaw resides in its user management component and is classified as CWE-284 (Improper Access Control): the application authenticates the requester but fails to authorize the requested action against the target object, so an object/identifier supplied in the HTTP request is trusted without verifying that the caller owns or may edit that record. The single CPE in scope, cpe:2.3:a:zwiicms:zwiicms:*:*:*:*:*:*:*:*, indicates the vendor's own product line with no version boundary encoded, consistent with 'all versions up to 13.6.07' being affected. The tag 'Authentication Bypass' is imprecise here - authentication is not bypassed; rather, authorization checks are missing on an already-authenticated session (a horizontal/vertical access-control failure).
RemediationAI
No vendor-released patch version is identified in the available data, so upgrade to a fixed release cannot yet be cited by number - monitor http://zwiicms.com and the ZwiiCMS project for a release above v13.6.07 that references CVE-2025-57130, and apply it once published. As compensating controls in the interim: disable open/self-service user registration so untrusted parties cannot obtain the low-privilege account the attack requires (trade-off: blocks legitimate new sign-ups); restrict access to the site administration and user-management endpoints by IP allow-list or an authenticating reverse proxy so only trusted networks can reach them (trade-off: complicates remote admin); and audit existing accounts and rotate administrator credentials, since a successful exploit alters admin profile data. Review the Nivel4 advisory (https://blog.nivel4.com/noticias/cve-2025-57130-especialistas-de-nivel4-identifican-falla-de-alta-severidad-en-gestor-de-contenidos) for any vendor-coordinated fix details before deploying.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today