cbcvebase.
CVE-2020-25042
published 2020-09-03

CVE-2020-25042: An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated (admin/manager) session and make a…

PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
18.11%
96.8th percentile
An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated (admin/manager) session and make a codebase/dir.php?type=filenew request to upload PHP code to codebase/handler.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
maracmsmaracms

Detection & IOCsextracted from sources · hover to see the quote

urlcodebase/dir.php?type=filenew
pathcodebase/handler.php
pathcodebase/handler.php
  • Monitor for HTTP POST requests to `codebase/handler.php` on MaraCMS installations, which is the upload endpoint abused to plant malicious PHP files.
  • Monitor for HTTP GET requests to `codebase/dir.php` with the query parameter `type=filenew`, which is the trigger endpoint used to initiate the malicious file upload.
  • After a successful upload, the attacker executes the payload via HTTP GET requests to the uploaded PHP file in the web root. Monitor for unexpected PHP file creation and subsequent GET requests to newly created PHP files under the MaraCMS web root.
  • For Linux/Windows targets, a simple PHP web shell is uploaded first, then leveraged via a series of HTTP GET requests to deliver a staged payload (CmdStager). Detect repeated GET requests to a newly created PHP file with command-like query parameters.
  • Exploitation requires valid `admin` or `manager` credentials. Alert on authenticated sessions from unusual IPs followed immediately by POST requests to `codebase/handler.php`.
  • ·Exploitation requires an authenticated session (admin or manager role); unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·The vulnerability affects MaraCMS 7.5 and prior versions. Verify the installed version before applying detections.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.