CVE-2025-7100
published 2025-07-07CVE-2025-7100: A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.29%
21.1th percentile
A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | — | — |
| boyuncms_project | boyuncms | 1.4 – 1.4.20 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
cisa9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jwmg-wm4j-mr52: A vulnerability was found in BoyunCMS up to 1
ghsa_unreviewed·2025-07-07
CVE-2025-7100 [MEDIUM] CWE-284 GHSA-jwmg-wm4j-mr52: A vulnerability was found in BoyunCMS up to 1
A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CISA
Edimax IC-7100 IP Camera OS Command Injection Vulnerability
cisa·2025-03-19·CVSS 9.3
CVE-2025-1316 [CRITICAL] CWE-78 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Vulnerability: Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Affected: Edimax IC-7100 IP Camera
Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.edimax.com/edimax/post/post/data/edimax/global/press_releases/4801/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-1316
Remediation Due Date: 2025-04-09
Suricata
ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
suricata·2025-03-20·CVSS 9.3
CVE-2025-1316 [CRITICAL] ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/camera-cgi/admin/param.cgi"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; http.request_body; content:"action|3d|update"; content:"ipcamSource|3d|"; content:"NTP_enable|3d|1"; content:"NTP_serverName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2025-1316; reference:url,github.com/R00tS3c/DDOS-RootSec/blob/41e5009c8da9bd9fff94ffef34db218e51a55560/Botnets/Exploits/Edimax/poc.go; classtype:attempted-a
No public exploits indexed.
No writeups or analysis indexed.
2025-07-07
Published