Insecure Deserialization Vulnerability in e107 CMS by e107 Inc.
CVE-2025-61505

6.5MEDIUM

Key Information:

Vendor: e107 Inc.
Status: e107 CMS
Vendor: CVE Published:; 10 October 2025

What is CVE-2025-61505?

e107 CMS versions up to 2.3.3 feature a vulnerability in the install.php script, which is susceptible to insecure deserialization. This allows attackers to exploit the previous_steps POST parameter by injecting malicious serialized data through unserialize(base64_decode()), leading to remote code execution, arbitrary file operations, or potential denial of service. The extent of this threat is contingent on the presence of exploitable PHP object gadgets within the environment.

References

https://github.com/e107inc/e107/blob/master/install.php

https://xancatos.org/cve202561505

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2025
Vulnerability Reserved
Sep 26, 2025

CVE-2025-61505 Data

JSON