CVE-2025-34113
published 2025-07-15CVE-2025-34113: An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in…
PriorityP266high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.10%
79.4th percentile
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki_software_community_association | wiki_cms_groupware | <= 14.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to `tiki-calendar.php` containing suspicious or encoded PHP code within the `viewmode` GET parameter, which is the injection point for CVE-2025-34113. ↗
- →Exploitation requires an authenticated session and the calendar module to be enabled. Correlate authenticated user activity against requests to `tiki-calendar.php?viewmode=` with anomalous values. ↗
- →A Metasploit module exists for this vulnerability (`modules/exploits/linux/http/tiki_calendar_exec.rb`). Detect exploitation attempts originating from Metasploit by inspecting user-agent strings and request patterns consistent with this module targeting `tiki-calendar.php`. ↗
- →Successful exploitation leads to RCE as the web server user. Monitor for unexpected child processes spawned by the web server process (e.g., Apache/Nginx spawning shells) following requests to `tiki-calendar.php`. ↗
- ·The calendar module is NOT enabled by default in Tiki Wiki CMS. Instances are only vulnerable if the module has been explicitly enabled by an administrator. ↗
- ·Even when the calendar module is enabled, anonymous (unauthenticated) users are not permitted to access it by default. Exploitation requires valid authenticated credentials. ↗
- ·Affected versions span multiple LTS branches: ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14. Ensure detection and patching coverage extends across all deployed LTS branches, not just the latest. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rbhttps://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tikihttps://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/https://www.exploit-db.com/exploits/39965https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module
2025-07-15
Published