/
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection

Jul 3, 2025
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Overview
CVE-2025-29306 is a critical remote code execution (RCE) vulnerability affecting FoxCMS version 1.2.5. The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation. Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().
- CVE ID: CVE-2025-29306
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 71.52%
- Affected Version: FoxCMS ≤ 1.2.5
- Patched Version: None released as of writing
- Authentication Required: No
- Impact: Remote Code Execution
Technical Breakdown
FoxCMS uses unserialize() directly on user-supplied input from the id parameter. When a malicious serialized PHP object is supplied, FoxCMS inadvertently executes attacker-controlled PHP code.
A typical payload might inject PHP code such as:
${@print_r(@system("id"))}
When deserialized and evaluated, this results in arbitrary OS command execution. This technique is known as PHP Object Injection (POI), leveraging unserialize() as the initial injection vector.
Conditions for Exploitation
- FoxCMS v1.2.5 installed and publicly reachable
- No login or authentication required
- PHP deserialization gadgets available in the environment
- PHP has shell access (default in many configurations)
Exploitation Steps
To compromise this lab, an attacker crafts a POST request to the vulnerable case display page, injecting PHP code that is subsequently written to a .php file.
Simple Browser PoC
A known exploit simply calls phpinfo(): Replace TARGET with the target’s URL or IP. Visiting the URL reveals full phpinfo output, confirming code execution.
http://TARGET/images/index.html?id=${@print(phpinfo())}
PoC with curl
Swap out phpinfo() for an OS command, e.g. id:
curl "http://TARGET/images/index.html?id=%24%7B%40print%28system%28%22id%22%29%29%7D"
This confirms the vulnerability and demonstrates remote code execution via unserialize-based injection in FoxCMS v1.2.5.
Mitigation
- No official patch exists yet. Users should:
- Remove or replace unserialize() usage with safer methods (e.g. JSON decoding)
- Filter or validate all input parameters
- Block public access to vulnerable pages
- Deploy WAF signatures to detect serialized payloads
- Disable dangerous PHP functions like system() if not needed
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Jul 3, 2025
2 min read

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read

OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read