VYPR
← All advisories
High severityNVD Advisory· Published Aug 26, 2025· Updated Aug 28, 2025

CVE-2025-52353

CVE-2025-52353

Description

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can upload PHP files via Badaso CMS Media Manager, leading to remote code execution on the host.

The vulnerability resides in the Media Manager component of Badaso CMS 2.9.11, where the file upload endpoint fails to properly validate content types. This allows authenticated users to upload files containing embedded PHP code, for example by embedding a backdoor within a PDF and renaming it with a .php extension [1].

Exploitation requires an authenticated user with access to the Media Manager. The attacker uploads a file with a .php extension that contains PHP code. When the file is accessed via its URL, the server executes the PHP payload because the application does not prevent execution of user-uploaded PHP files [1].

Successful exploitation enables an attacker to run arbitrary system commands, leading to full compromise of the underlying host. The attacker can execute commands, read or modify files, and potentially pivot to other systems [1].

As of publication, no official patch has been released. Users should implement strict file type validation and consider disabling PHP execution in upload directories. The vendor's GitHub repository provides the source code for potential mitigation [2].

References
  1. NVD - CVE-2025-52353
  2. GitHub - uasoft-indonesia/badaso: Laravel Vue headless CMS / admin panel / dashboard / builder / API CRUD generator, anything !

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
badaso/corePackagist
<= 2.9.11

Affected products

2
  • Badaso/CMSdescription
  • Badaso/CMSllm-create
    Range: = 2.9.11

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.