cbcvebase.
CVE-2022-25487
published 2022-03-15

CVE-2022-25487: Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.77%
98.9th percentile
Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
thedigitalcraftatomcms

Detection & IOCsextracted from sources · hover to see the quote

path/admin/uploads.php
path/admin/uploads.php?id=1
path/uploads/
filenamewebshell.php
filenameshell.txt
otherContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L
otherX-Requested-With: XMLHttpRequest
  • Detect unauthenticated POST requests to /admin/uploads.php?id=1 with multipart/form-data content type containing a .php filename — this is the exploit upload vector for CVE-2022-25487.
  • Monitor for PHP webshell files appearing under the /uploads/ directory of Atom CMS installations, particularly files with numeric-prefixed names (e.g., <number>.php) as the exploit stores uploaded shells with a unique number.
  • Flag multipart file uploads to /admin/uploads.php where the Content-Type of the file part is image/jpeg but the filename extension is .php — a classic MIME-type bypass for unrestricted file upload.
  • The exploit uses the header 'X-Requested-With: XMLHttpRequest' combined with a multipart POST to /admin/uploads.php — correlate this header with the upload path for higher-fidelity detection.
  • The exploit regex extracts the uploaded filename from the response using the pattern 'SET avatar = '(.*?)'' — defenders can monitor server responses from /admin/uploads.php for this pattern to identify successful shell uploads.
  • ·The vulnerability is unauthenticated — no valid session or credentials are required to exploit /admin/uploads.php, making network-level blocking of the endpoint the most effective mitigation.
  • ·The exploit script is configured to route traffic through a local proxy (localhost:8080), which may cause exploit traffic to appear to originate from localhost in proxy-aware logging environments.
  • ·The vulnerability is fixed in Atom CMS v2.1; detections targeting version 2.0 specifically should be scoped accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.