CVE-2025-29306

CRITICAL EXPLOITED NUCLEI

FoxCMS v.1.2.5 - Remote Code Execution

Title source: nuclei

Exploitation Summary

CVE-2025-29306 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including VeryLazyTech, Mattb709, verylazytech. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a remote code execution (RCE) vulnerability in FoxCMS v1.2.5 by injecting a crafted payload into the 'id' parameter, which is then processed by the application to execute arbitrary commands. The script encodes the payload, sends it via a GET request, and parses the response to extract command output.

Description

An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

Exploits (8)

exploitdb WORKING POC

by VeryLazyTech · webappsmultiple

https://www.exploit-db.com/exploits/52267

View Code ZIP pw:eip

This exploit leverages a remote code execution (RCE) vulnerability in FoxCMS v1.2.5 by injecting a crafted payload into the 'id' parameter, which is then processed by the application to execute arbitrary commands. The script encodes the payload, sends it via a GET request, and parses the response to extract command output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FoxCMS v1.2.5

No auth needed

Prerequisites: Target URL · Command to execute

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by Mattb709 · remote

https://github.com/Mattb709/CVE-2025-29306-PoC-FoxCMS-RCE

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2025-29306, a remote code execution vulnerability in FoxCMS. The exploit allows command execution via a crafted URL parameter and includes bulk scanning capabilities.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FoxCMS

No auth needed

Prerequisites: Network access to the target FoxCMS instance · FoxCMS with the vulnerable endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by verylazytech · remote

https://github.com/verylazytech/CVE-2025-29306

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-29306, targeting a remote code execution vulnerability in FoxCMS v1.2.5 via the /images/index.html component. The exploit uses a crafted URL with an encoded payload to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FoxCMS v1.2.5

No auth needed

Prerequisites: Target running FoxCMS v1.2.5 · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by inok009 · remote

https://github.com/inok009/FOXCMS-CVE-2025-29306-POC

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2025-29306, a Remote Code Execution (RCE) vulnerability in FOXCMS v1.2. The exploit leverages insecure parameter parsing in the 'id' parameter to inject PHP code via `${@print()}` expressions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FOXCMS v1.2

No auth needed

Prerequisites: Python 3.x · requests library · target URL with vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by mantanhacker · poc

https://github.com/mantanhacker/Mass-CVE-2025-29306

View Code ZIP pw:eip

This repository describes a Bash-based tool for automating RCE testing against FoxCMS (CVE-2025-29306). The tool is compiled with SHC and requires a target list (urls.txt) to execute commands remotely.

Classification

Scanner 70%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: FoxCMS (version unspecified)

No auth needed

Prerequisites: curl · python3 · libxml2-utils · urls.txt with target list

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by amalpvatayam67 · infoleak

https://github.com/amalpvatayam67/day06-foxcms-rce

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2025-29306, demonstrating an unsafe deserialization vulnerability leading to remote code execution (RCE). The exploit leverages a crafted serialized payload to execute arbitrary commands via `eval()` in a controlled lab environment.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FoxCMS (educational replica)

No auth needed

Prerequisites: Docker environment · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by congdong007 · remote

https://github.com/congdong007/CVE-2025-29306_poc

View Code ZIP pw:eip

This PoC exploits an arbitrary code execution vulnerability in FoxCMS v1.2.5 by injecting a payload into the 'id' parameter, which is then processed by the server, allowing remote command execution. The script supports both single URL and bulk URL testing with threaded execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FoxCMS v1.2.5

No auth needed

Prerequisites: Target running FoxCMS v1.2.5 · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by somatrasss · remote

https://github.com/somatrasss/CVE-2025-29306

View Code ZIP pw:eip

This repository contains a writeup for CVE-2025-29306, detailing a parameter injection vulnerability in FOXCMS V1.2. The PoC demonstrates remote code execution via a crafted URL parameter.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FOXCMS V1.2

No auth needed

Prerequisites: Access to the target URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

FoxCMS v.1.2.5 - Remote Code Execution

CRITICALVERIFIEDby ritikchaddha

Shodan: html:"foxcms-logo"

FOFA: (body="foxcms-logo" || body="foxcms-container") && body="div"

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/somatrasss/CVE-2025-29306

Scores

CVSS v3 9.8

EPSS 0.8621

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-06-07

CWE

CWE-94

Status published

Products (1)

foxcms/foxcms < 1.2

Published Mar 27, 2025

Tracked Since Feb 18, 2026