A severe security vulnerability has been identified in FoxCMS version v1.2.5. This critical flaw, tracked as CVE-2025-29306, is an unserialize vulnerability that permits unauthenticated Remote Code Execution (RCE).
The nature of this vulnerability is particularly dangerous because it allows attackers to execute arbitrary code on the server hosting FoxCMS v1.2.5 without needing any form of authentication. Exploiting an unserialize vulnerability typically involves crafting malicious serialized data that, when processed by the application, triggers unintended behavior, leading to code execution.
The impact of successful exploitation is catastrophic. An attacker could gain complete control over the affected FoxCMS instance, potentially leading to data theft, system compromise, defacement, or further network intrusion. The fact that no authentication is required makes this a high-risk issue, as it can be easily exploited by anyone with network access to the vulnerable system.
This discovery highlights a significant security gap in FoxCMS v1.2.5. Users and administrators running this specific version are strongly advised to consider the critical risk posed by this unauthenticated RCE vulnerability. Immediate steps should be taken to understand if their installations are affected and to prepare for potential mitigation efforts once available. Vigilance and monitoring for official security updates or workarounds are paramount to protect systems from potential compromise via CVE-2025-29306.
Source: https://www.offsec.com/blog/cve-2025-29306/
