CVE-2025-52353

CRITICAL

Badaso CMS 2.9.11 - Authenticated Remote Code Execution via Media Manager File Upload

Title source: llm

Description

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

References (2)

Core 2

Core References

Product

https://github.com/uasoft-indonesia/badaso

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d

Scores

CVSS v3 9.8

EPSS 0.0061

EPSS Percentile 44.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

badaso/core 0Packagist

uatech/badaso 2.9.11

Published Aug 26, 2025

Tracked Since Feb 18, 2026