VYPR
← All advisories
High severityNVD Advisory· Published May 20, 2025· Updated May 20, 2025

TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer

CVE-2025-47940

Description

TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Administrator-level backend users in TYPO3 CMS can escalate privileges to system maintainer by modifying admin flag or password of system maintainer users.

Vulnerability

CVE-2025-47940 is a privilege escalation vulnerability in TYPO3 CMS affecting versions 10.0.0 through 10.4.49, 11.0.0 through 11.5.43, 12.0.0 through 12.4.30, and 13.0.0 through 13.4.11 [1][2][4]. The root cause lies in the DataHandler component (ext:core), where a missing access check allowed administrator-level backend users who are not system maintainers to modify the admin flag or password field of users listed in the $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] array [1][4]. The check that prevented non-system-maintainer admins from altering system maintainer accounts was removed in a commit, enabling the bypass [1].

Exploitation

Exploitation requires a valid administrator account with backend access to the TYPO3 installation [2][4]. The attacker does not need system maintainer privileges to perform the attack. By crafting a direct database update request (e.g., through the backend user module or via the DataHandler API), an admin can change the admin flag of a system maintainer account from 1 to 0, or modify the password of such an account [1]. This bypasses the intended restriction that only system maintainers should be able to alter privileges of other system maintainers [1].

Impact

Successful exploitation allows an administrator-level attacker without system maintainer access to gain full system maintainer privileges. System maintainers in TYPO3 have elevated access, including the ability to install extensions, modify system configuration, and manage other users [2][4]. This can lead to a complete compromise of the TYPO3 instance, as the attacker can perform any administrative action [4]. The vulnerability is classified as CWE-283 (Unverified Ownership) and has an assigned CVSS v3.1 score of 7.2 (High) [4].

Mitigation

TYPO3 has released patched versions: 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS [2][4]. Users are strongly advised to update to these versions immediately [1][2][4]. The fix reinstates the access control check to prevent non-system-maintainer admins from modifying system maintainer accounts [1]. There is no known workaround; updating is the only recommended mitigation.

References
  1. [SECURITY] Disallow changing system maintainer details · TYPO3-CMS/core@a659cc8
  2. NVD - CVE-2025-47940
  3. Privilege Escalation to System Maintainer

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 10.4.0, < 10.4.5010.4.50
typo3/cms-corePackagist
>= 11.0.0, < 11.5.4411.5.44
typo3/cms-corePackagist
>= 12.0.0, < 12.4.3112.4.31
typo3/cms-corePackagist
>= 13.0.0, < 13.4.1213.4.12

Affected products

3
  • TYPO3/Typo3llm-fuzzy2 versions
    >=10.0.0, <10.4.50 ELTS+ 1 more
    • (no CPE)range: >=10.0.0, <10.4.50 ELTS
    • (no CPE)range: >= 10.0.0, < 10.4.50
  • ghsa-coords
    pkg:composer/typo3/cms-core
    Range: >= 10.4.0, < 10.4.50

Patches

1
a659cc8c0ae0

[SECURITY] Disallow changing system maintainer details

https://github.com/TYPO3-CMS/coreOliver HaderMay 20, 2025via ghsa
commit
5 files changed · +64 31
  • Classes/DataHandling/DataHandler.php+0 27 modified
    @@ -1274,33 +1274,6 @@ public function checkValue($table, $field, $value, $id, $status, $realPid, $tscP
             }
         }
 
-        if ($table === 'be_users'
-            && ($field === 'admin' || $field === 'password')
-            && $status === 'update'
-        ) {
-            // Do not allow a non system maintainer admin to change admin flag and password of system maintainers
-            $systemMaintainers = array_map(intval(...), $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
-            // False if current user is not in system maintainer list or if switch to user mode is active
-            $isCurrentUserSystemMaintainer = $this->BE_USER->isSystemMaintainer();
-            $isTargetUserInSystemMaintainerList = in_array((int)$id, $systemMaintainers, true);
-            if ($field === 'admin') {
-                $isFieldChanged = (int)$currentRecord[$field] !== (int)$value;
-            } else {
-                $isFieldChanged = $currentRecord[$field] !== $value;
-            }
-            if (!$isCurrentUserSystemMaintainer && $isTargetUserInSystemMaintainerList && $isFieldChanged) {
-                $value = $currentRecord[$field];
-                $this->log(
-                    $table,
-                    (int)$id,
-                    SystemLogDatabaseAction::UPDATE,
-                    null,
-                    SystemLogErrorClassification::SECURITY_NOTICE,
-                    'Only system maintainers can change the admin flag and password of other system maintainers. The value has not been updated'
-                );
-            }
-        }
-
         // Getting config for the field
         $tcaFieldConf = $this->resolveFieldConfigurationAndRespectColumnsOverrides($table, $field);
  • Classes/Hooks/SystemMaintainerAllowanceCheck.php+53 0 added
    @@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Hooks;
+
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+use TYPO3\CMS\Core\SysLog\Action\Database as SystemLogDatabaseAction;
+use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
+
+/**
+ * DataHandler hook to ensure that only system maintainers can change details of system maintainers.
+ *
+ * @internal This class is a hook implementation and is not part of the TYPO3 Core API.
+ */
+final class SystemMaintainerAllowanceCheck
+{
+    public function processDatamap_postProcessFieldArray(string $status, string $table, int|string $id, array &$fieldArray, DataHandler $dataHandler): void
+    {
+        if ($table !== 'be_users' || $status !== 'update' || empty($fieldArray)) {
+            return;
+        }
+        // Do not allow a non system maintainer admin to change details of system maintainers.
+        $systemMaintainers = array_map(intval(...), $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+        // False if current user is not in system maintainer list or if switch to user mode is active
+        $isCurrentUserSystemMaintainer = $dataHandler->BE_USER->isSystemMaintainer();
+        $isTargetUserInSystemMaintainerList = in_array((int)$id, $systemMaintainers, true);
+        if (!$isCurrentUserSystemMaintainer && $isTargetUserInSystemMaintainerList) {
+            $fieldArray = [];
+            $dataHandler->log(
+                $table,
+                (int)$id,
+                SystemLogDatabaseAction::UPDATE,
+                null,
+                SystemLogErrorClassification::SECURITY_NOTICE,
+                'Only system maintainers can change details of other system maintainers. The values have not been updated.'
+            );
+        }
+    }
+}
  • Configuration/DefaultConfiguration.php+5 0 modified
    @@ -726,6 +726,11 @@
                             \TYPO3\CMS\Backend\Form\FormDataProvider\TcaRecordTitle::class,
                         ],
                     ],
+                    \TYPO3\CMS\Backend\Form\FormDataProvider\SystemMaintainerAsReadonly::class => [
+                        'depends' => [
+                            \TYPO3\CMS\Backend\Form\FormDataProvider\EvaluateDisplayConditions::class,
+                        ],
+                    ],
                 ],
                 'tcaSelectTreeAjaxFieldData' => [
                     \TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseEditRow::class => [],
  • ext_localconf.php+2 0 modified
    @@ -8,6 +8,7 @@
 use TYPO3\CMS\Core\Hooks\CreateSiteConfiguration;
 use TYPO3\CMS\Core\Hooks\DestroySessionHook;
 use TYPO3\CMS\Core\Hooks\PagesTsConfigGuard;
+use TYPO3\CMS\Core\Hooks\SystemMaintainerAllowanceCheck;
 use TYPO3\CMS\Core\Hooks\UpdateFileIndexEntry;
 use TYPO3\CMS\Core\MetaTag\EdgeMetaTagManager;
 use TYPO3\CMS\Core\MetaTag\Html5MetaTagManager;
@@ -32,6 +33,7 @@
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS'][GeneralUtility::class]['moveUploadedFile'][] = SvgHookHandler::class . '->processMoveUploadedFile';
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = FileMetadataPermissionsAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = BackendUserPasswordCheck::class;
+$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = SystemMaintainerAllowanceCheck::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = FileMetadataPermissionsAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = FilePermissionAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = FilePermissionAspect::class;
  • Resources/Private/Language/locallang_core.xlf+4 4 modified
    @@ -1366,17 +1366,17 @@ Do you want to refresh it now?</source>
 				<source>"%s" is not a valid e-mail address.</source>
 			</trans-unit>
 			<trans-unit id="error.adminCanNotChangeSystemMaintainer">
-				<source>Only system maintainers can change the admin flag and password of other system maintainers. The value has not been updated.</source>
+				<source>Non system maintainers cannot change details of system maintainers. The values have not been updated.</source>
+			</trans-unit>
+			<trans-unit id="formEngine.beUser.information.adminCanNotChangeSystemMaintainer">
+				<source>This user is a system maintainer. Changing details of system maintainers is not allowed.</source>
 			</trans-unit>
 			<trans-unit id="formEngine.beUser.admin.information.userIsSystemMaintainer">
 				<source>This user is a system maintainer</source>
 			</trans-unit>
 			<trans-unit id="formEngine.beUser.admin.information.userWillBecomeSystemMaintainer">
 				<source>This user is in the list of allowed system maintainers and will gain system level access if enabling admin access.</source>
 			</trans-unit>
-			<trans-unit id="formEngine.beUser.admin.information.userAdminAndPasswordChangeNotAllowed">
-				<source>This user is a system maintainer. Changing the admin flag and changing password is denied.</source>
-			</trans-unit>
 			<trans-unit id="formEngine.pages.backendLayout.information.inheritFromParentPage">
 				<source>This page will most likely use backend layout "%s", inherited from a parent page.</source>
 			</trans-unit>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.