Critical Authenticated Remote Code Execution Vulnerability in JuzaWeb CMS 3.4.2 (CVE-2025-5425) – Exploit in the Wild and Mitigation Guidance

A critical security vulnerability has been discovered in JuzaWeb CMS version 3.4.2, specifically enabling Authenticated Remote Code Execution (RCE) through broken access control mechanisms. This flaw, catalogued as CVE-2025-5425, allows any authenticated user, even those with the lowest privilege levels, to access the administrative Theme Editor interface and modify theme files. By injecting malicious PHP code, attackers can achieve full remote code execution on the underlying web server. The vulnerability is publicly documented, with proof-of-concept exploits available, and there is credible evidence of exploitation in the wild. Organizations using JuzaWeb CMS 3.4.2 or earlier versions in the 3.4.x branch are at immediate risk and should prioritize mitigation and monitoring efforts.

The vulnerability in JuzaWeb CMS 3.4.2 arises from improper enforcement of access controls on the Theme Editor page, located at /admin-cp/theme/editor/default. The intended design restricts this page to administrative users only; however, due to a misconfiguration in the privilege assignment logic (CWE-266: Incorrect Privilege Assignment), any authenticated user can directly access this endpoint. This is a classic case of broken access control, where the application fails to verify the user's role before granting access to sensitive functionality.

The attack vector is straightforward. An attacker creates a new user account with all permissions disabled, logs in, and navigates directly to the Theme Editor URL. Despite lacking administrative privileges, the user is granted full access to edit theme files. By uploading or modifying PHP files within the theme, the attacker can inject arbitrary code, which the web server will execute. This results in a complete compromise of the CMS and potentially the entire server environment.

The vulnerability is classified as moderate on the CVSS v4.0 scale, with a base score of 5.3. The attack vector is network-based, requires low attack complexity, and only low privileges are needed. No user interaction is required beyond authentication. The vulnerability impacts confidentiality, integrity, and availability at the local level, but does not directly affect system or application scope.

The public exploit, as documented by the security researcher Cyber-Wo0dy, demonstrates the attack in detail. The proof-of-concept involves creating a low-privilege user, logging in, and accessing the Theme Editor to inject a PHP web shell. Once the shell is in place, the attacker can execute arbitrary commands, escalate privileges, exfiltrate data, or pivot to other systems.

Indicators of compromise include unexpected access to the Theme Editor by non-admin users, unauthorized modifications to theme files (especially PHP files), the presence of web shells or suspicious code in theme directories, and authentication logs showing low-privilege users accessing administrative endpoints.

The vulnerability maps to the following MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Attackers exploiting this flaw can gain initial access to the application and then execute arbitrary commands on the server.

The exploit for JuzaWeb CMS 3.4.2 has been publicly disclosed and is available on GitHub and other security forums. There is no evidence of a vendor patch or official response as of June 2025. The attack requires only a valid user account, which can often be obtained through registration or credential stuffing. The complexity is low, making this vulnerability attractive to a wide range of threat actors, from opportunistic cybercriminals to more advanced adversaries.

Reports from open-source intelligence and security monitoring platforms indicate that exploitation attempts have been observed in the wild. Attackers are actively scanning for exposed JuzaWeb CMS instances and attempting to leverage this flaw to deploy web shells, establish persistence, and move laterally within compromised environments. The availability of a working proof-of-concept lowers the barrier to entry for attackers and increases the urgency for organizations to respond.

As of the latest intelligence, no specific Advanced Persistent Threat (APT) groups have been publicly linked to the exploitation of CVE-2025-5425 in JuzaWeb CMS. Both the CVE Exploit in the Wild Finder and CVE Threat Actors Finder have not identified any APT campaigns leveraging this vulnerability. However, the low complexity, public exploit code, and potential for full system compromise make this vulnerability highly attractive to a broad spectrum of threat actors, including cybercriminals and potentially APTs in the future. Organizations should remain vigilant, as the threat landscape can evolve rapidly once a vulnerability becomes widely known and exploited.

The following versions of JuzaWeb CMS are confirmed to be affected by this vulnerability: JuzaWeb CMS 3.4, JuzaWeb CMS 3.4.1, and JuzaWeb CMS 3.4.2. According to the NVD CPE configuration, all versions from 3.4 up to and including 3.4.2 are vulnerable. Earlier versions may also be at risk if they share the same access control implementation, but the vulnerability has been explicitly confirmed in the 3.4.x branch.

Organizations running any of these versions should assume they are vulnerable and take immediate action to mitigate the risk.

Until an official patch is released by the JuzaWeb CMS vendor, organizations should implement the following mitigations to reduce exposure:

Restrict access to the /admin-cp/theme/editor/default endpoint to administrative users only, using web server configuration rules, application-level access controls, or network segmentation. Audit all user roles and permissions to ensure that only authorized personnel have access to sensitive administrative functions. Monitor authentication and access logs for signs of unauthorized access to the Theme Editor or unexpected modifications to theme files. Remove or disable unused or unnecessary user accounts to minimize the attack surface. Apply any patches or security updates released by the vendor as soon as they become available. Consider deploying a web application firewall (WAF) to detect and block suspicious requests targeting administrative endpoints.

Organizations should also conduct a thorough review of their JuzaWeb CMS installations for indicators of compromise, such as unauthorized file changes, the presence of web shells, or anomalous user activity. If compromise is suspected, initiate incident response procedures immediately.

NVD CVE-2025-5425, GitHub Advisory GHSA-h2gw-573j-3mjj, Cyber-Wo0dy PoC Report, VulDB Entry

At Rescana, we understand the critical importance of proactive risk management in today’s rapidly evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. While this report focuses on a specific vulnerability in JuzaWeb CMS, our platform is designed to provide comprehensive visibility and actionable intelligence for a wide range of cybersecurity threats. If you have any questions about this advisory or require assistance with incident response, our team is ready to help. Please contact us at ops@rescana.com.