← Back

CVE-2025-52353

nvd nist
Published: Aug 26, 2025Modified: Sep 9, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

Affected (1)

Products: Uatech: Badaso
Uatech
1 product
Badaso
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Badaso
Version 2.9.11

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

Source: cve@mitre.org
Product
Source: cve@mitre.org
ExploitThird Party Advisory

Timeline

No history available yet.