Arbitrary Code Execution Vulnerability in Badaso CMS by Uasoft Indonesia
CVE-2025-52353

9.8CRITICAL

Key Information:

Vendor: Uasoft Indonesia
Status: Badaso CMS
Vendor: CVE Published:; 26 August 2025

🔔 Create Uasoft Indonesia Vulnerability Alert

What is CVE-2025-52353?

An arbitrary code execution vulnerability has been identified in Badaso CMS version 2.9.11, allowing attackers to exploit the Media Manager feature. Authenticated users can upload files containing malicious PHP code through the file-upload endpoint, effectively bypassing content-type validations. When these files are accessed via their respective URLs, the server erroneously executes the embedded code, granting attackers the ability to run arbitrary commands on the server. A notable exploitation method involves embedding a backdoor within a seemingly harmless PDF file, renamed with a .php extension, demonstrating the critical implications of this vulnerability.

References

https://github.com/uasoft-indonesia/badaso

https://medium.com/@pat.sanitjairak/remote-code-execution...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 26, 2025
Vulnerability Reserved
Jun 16, 2025

JSON