CVE-2022-25487
published 2022-03-15CVE-2022-25487: Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.77%
98.9th percentile
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thedigitalcraft | atomcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /admin/uploads.php?id=1 with multipart/form-data content type containing a .php filename — this is the exploit upload vector for CVE-2022-25487. ↗
- →Monitor for PHP webshell files appearing under the /uploads/ directory of Atom CMS installations, particularly files with numeric-prefixed names (e.g., <number>.php) as the exploit stores uploaded shells with a unique number. ↗
- →Flag multipart file uploads to /admin/uploads.php where the Content-Type of the file part is image/jpeg but the filename extension is .php — a classic MIME-type bypass for unrestricted file upload. ↗
- →The exploit uses the header 'X-Requested-With: XMLHttpRequest' combined with a multipart POST to /admin/uploads.php — correlate this header with the upload path for higher-fidelity detection. ↗
- →The exploit regex extracts the uploaded filename from the response using the pattern 'SET avatar = '(.*?)'' — defenders can monitor server responses from /admin/uploads.php for this pattern to identify successful shell uploads. ↗
- ·The vulnerability is unauthenticated — no valid session or credentials are required to exploit /admin/uploads.php, making network-level blocking of the endpoint the most effective mitigation. ↗
- ·The exploit script is configured to route traffic through a local proxy (localhost:8080), which may cause exploit traffic to appear to originate from localhost in proxy-aware logging environments. ↗
- ·The vulnerability is fixed in Atom CMS v2.1; detections targeting version 2.0 specifically should be scoped accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r8jc-fqm2-4629: Atom CMS v2
ghsa_unreviewed·2022-03-16
CVE-2022-25487 [CRITICAL] CWE-434 GHSA-r8jc-fqm2-4629: Atom CMS v2
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
VulnCheck
thedigitalcraft atomcms Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 9.8
CVE-2022-25487 [CRITICAL] thedigitalcraft atomcms Unrestricted Upload of File with Dangerous Type
thedigitalcraft atomcms Unrestricted Upload of File with Dangerous Type
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
Affected: thedigitalcraft atomcms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-03&host_type=src&vulnerability=cve-2022-25487; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2022-25487; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-25487; ht
No detection rules found.
Exploit-DB
Atom CMS 2.0 - Remote Code Execution (RCE)
exploitdb·2022-03-30·CVSS 9.8
CVE-2022-25487 [CRITICAL] Atom CMS 2.0 - Remote Code Execution (RCE)
Atom CMS 2.0 - Remote Code Execution (RCE)
---
# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)
# Date: 22.03.2022
# Exploit Author: Ashish Koli (Shikari)
# Vendor Homepage: https://thedigitalcraft.com/
# Software Link: https://github.com/thedigicraft/Atom.CMS
# Version: 2.0
# Tested on: Ubuntu 20.04.3 LTS
# CVE: CVE-2022-25487
# Description
This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.
# Usage : python3 exploit.py
# Example: python3 exploit.py 127.0.0.1 80 /atom
# POC Exploit: https://youtu.be/qQrq-eEpswc
# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:
# https://github.com/shikari00007/Atom-CMS-2.0---F
Nuclei
Atom CMS v2.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-25487 [CRITICAL] Atom CMS v2.0 - Remote Code Execution
Atom CMS v2.0 - Remote Code Execution
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
Template:
id: CVE-2022-25487
info:
name: Atom CMS v2.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: Fixed in version Atom CMS v2.1
reference:
- https://packetstormsecurity.com/files/166532/Atom-CMS-1.0.2-Shell-Upload.html
- https://github.com/thedigicraft/Atom.CMS/issues/256
- https://nvd.nist.gov/vuln/detail/CVE-2022-25487
- https://github.com/ARPSyndicate/cvemo
No writeups or analysis indexed.
2022-03-15
Published
Exploited in the wild