PHP Object Injection Vulnerability in UNA CMS by UNA
CVE-2025-66571

9.3CRITICAL

Key Information:

Vendor

UNA

Status
Una Cms
Vendor
CVE Published:
4 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-66571?

UNA CMS versions 9.0.0-RC1 through 14.0.0-RC4 are affected by a PHP object injection vulnerability located in the BxBaseMenuSetAclLevel.php file. This vulnerability arises when the profile_id parameter is processed through the PHP unserialize() function without adequate validation. As a result, remote, unauthenticated attackers can exploit this flaw to inject arbitrary PHP objects, enabling them to execute arbitrary PHP code on the affected systems, potentially leading to severe security breaches. It is vital for users of UNA CMS to apply patches or upgrade to a secure version to mitigate the risks posed by this vulnerability.

Affected Version(s)

UNA CMS 9.0.0-RC1 <= 14.0.0-RC4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-66571 - Proof of Concept

References

https://www.exploit-db.com/exploits/52139
exploit
https://unacms.com
product
https://github.com/unacms/una
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano aka EgiX
JSON
.
CVE-2025-66571 : PHP Object Injection Vulnerability in UNA CMS by UNA