cbcvebase.
CVE-2025-5569
published 2025-06-04

CVE-2025-5569: A vulnerability was found in IdeaCMS up to 1.7 and classified as critical. This issue affects the function Article/Goods of the file…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.27%
66.1th percentile
A vulnerability was found in IdeaCMS up to 1.7 and classified as critical. This issue affects the function Article/Goods of the file /api/v1.index.article/getList.html. The manipulation of the argument Field leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.8 is able to address this issue. The patch is named 935aceb4c21338633de6d41e13332f7b9db4fa6a. It is recommended to upgrade the affected component.

Affected

7 ranges
VendorProductVersion rangeFixed in
ideacmsideacms<= 1.7
ideacmsideacms
ideacmsideacms
ideacmsideacms
ideacmsideacms
ideacmsideacms
ideacmsideacms

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1.index.article/getList.html?field=id,md5({{num}})&size=1&cat=3&time_stamp=1781864476
url/api/v1.index.goods/getList.html?field=id,md5({{num}})&activity_type=hot&time_stamp=1781864476
path/api/v1.index.article/getList.html
hash935aceb4c21338633de6d41e13332f7b9db4fa6a
  • Detect exploitation attempts by monitoring GET requests to /api/v1.index.article/getList.html or /api/v1.index.goods/getList.html with a 'field' parameter containing SQL expressions (e.g., md5(), commas separating column names with functions).
  • Match HTTP 200 responses containing both 'id":1' and 'data":' alongside an MD5 hash value in the body to confirm successful SQL injection exploitation.
  • Use the Shodan favicon hash -1033616879 or FOFA icon_hash "-1033616879" to identify exposed IdeaCMS instances for proactive scanning.
  • The vulnerability is unauthenticated (PR:N, UI:N); no session or credentials are required. Alert on any external/anonymous access to the affected endpoints with non-trivial 'field' parameter values.
  • ·The Nuclei template uses a time-based/MD5 blind detection approach with a fixed large numeric value (999999999) injected via the 'field' parameter. Real-world payloads may vary; tune detection rules to cover broader SQL function injection patterns in the 'field' parameter, not just md5().
  • ·The template sets stop-at-first-match: true and only sends a maximum of 2 requests, targeting both the article and goods endpoints. Detection coverage must include both /api/v1.index.article/getList.html and /api/v1.index.goods/getList.html.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.