CVE-2025-61505

MEDIUM

e107 < 2.3.3 - Remote Code Execution via Insecure Deserialization in install.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-61505. PoCs published by pescada-dev.

AI-analyzed exploit summary This repository contains a detailed writeup of CVE-2025-61505, a PHP Object Injection vulnerability in e107 CMS 2.x. The vulnerability arises from unsafe use of `unserialize()` on user-controlled input in the installation script (`install.php`), potentially leading to arbitrary code execution or data manipulation.

Description

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Exploits (1)

nomisec WRITEUP 1 stars

by pescada-dev · poc

https://github.com/pescada-dev/CVE-2025-61505

View Code ZIP pw:eip

This repository contains a detailed writeup of CVE-2025-61505, a PHP Object Injection vulnerability in e107 CMS 2.x. The vulnerability arises from unsafe use of `unserialize()` on user-controlled input in the installation script (`install.php`), potentially leading to arbitrary code execution or data manipulation.

Classification

Writeup 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: e107 CMS ≤ 2.3.3

No auth needed

Prerequisites: Access to the installation script (`install.php`) during setup · Presence of exploitable gadget classes in the e107 codebase or dependencies

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://github.com/e107inc/e107/blob/master/install.php

Mitigation, Third Party Advisory

https://xancatos.org/cve202561505

Scores

CVSS v3 6.5

EPSS 0.0033

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (1)

e107/e107 < 2.3.3

Published Oct 10, 2025

Tracked Since Feb 18, 2026