CVE-2025-64050

Vulnerability

Overview

CVE-2025-64050 is a Remote Code Execution (RCE) vulnerability in the template management component of REDAXO CMS version 5.20.0. The root cause is the lack of input sanitization or validation when administrators edit active templates, allowing injection of arbitrary PHP code. The injected code is executed server-side when any visitor loads a frontend page that uses the compromised template [1][2][4].

Exploitation

Prerequisites and Attack Surface

Exploitation requires an authenticated session with administrative privileges in the REDAXO backend. The attacker navigates to the template management page, selects an active template, and inserts a PHP payload (e.g., using shell_execshell_exec` or system`) into the template content. After saving, the payload is triggered automatically when any user (including unauthenticated visitors) accesses the site's frontend pages that rely on that template [2][4]. No additional user interaction is needed beyond the initial admin action.

Impact

Successful exploitation grants the attacker arbitrary operating system command execution in the context of the web server user. This can lead to full system compromise, including file disclosure (e.g., reading /etc/passwd), data theft from databases and configuration files, establishment of reverse shells for persistent remote access, and potential privilege escalation within the hosting environment [4].

Mitigation

Status

As of the publication date, no official patch has been released for REDAXO CMS 5.20.0. The vulnerability is publicly documented with proof-of-concept exploit steps [4]. Administrators should restrict backend access to trusted users, monitor template modifications, and apply any security updates from the vendor as soon as they become available. The CVE is not yet listed in CISA's KEV catalog.