CVE-2025-29306 — AI Deep Analysis Summary

🚨 **Essence**: FoxCMS v1.2.5 suffers from a **Service Parameter Injection** vulnerability in the `index.html` component.…

🛡️ **Root Cause**: Insecure parameter parsing in the `id` parameter. The system fails to sanitize inputs containing `${@print()}` expressions, allowing direct **Code Execution** via injection.…

📦 **Affected**: **FoxCMS (FOXCMS)** versions **1.2** and **1.2.5**. 🌐 It is an open-source PHP+MySQL content management system by Chinese company Qianhu (FoxCMS).

🔓 **Attacker Capabilities**: Full **Remote Code Execution (RCE)**. Hackers can run commands like `phpinfo()`, access sensitive data, and potentially gain **server control** (root/admin privileges).

🔑 **Exploitation Threshold**: **LOW**. No authentication required. It is a **Remote** vulnerability accessible via HTTP requests to `/images/index.html`. 🌍 Anyone on the internet can exploit it.

💣 **Public Exploits**: **YES**. Multiple PoCs are available on GitHub (e.g., `somatrasss`, `verylazytech`, `nuclei-templates`). Automated scanning tools like Nuclei already have templates.…

🔍 **Self-Check**: Send a GET request to: `http://[TARGET]/images/index.html?id=${@print(phpinfo())}`. ✅ **Vulnerable** if the response contains PHP info output. ❌ **Safe** if it returns an error or no PHP data.

🩹 **Official Fix**: The provided data does **not** mention an official patch or vendor update. ⚠️ As of the publication date (2025-03-27), no fix is confirmed in the text.

🛑 **Workaround**: Since no patch exists, **block access** to `/images/index.html` via WAF or firewall rules. 🚫 Restrict input parameters to prevent `${...}` injection patterns.…

🔥 **Urgency**: **CRITICAL**. It is an **Unauthenticated RCE** with public PoCs. Immediate action is required to prevent server takeover. Prioritize scanning and mitigation NOW. ⏳