CVE-2025-14837

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZZCMS version 2025

Description A code injection issue exists in ZZCMS 2025, specifically within the Backend Website Settings Module. The stripfxg function in the /admin/siteconfig.php file is affected. Manipulation of the icp argument can lead to code injection, and the attack can be executed remotely. The exploit has been publicly disclosed.

Recommendations Apply any available updates to address the issue in the stripfxg function of the /admin/siteconfig.php file. As a temporary workaround, restrict access to the /admin/siteconfig.php file to minimize the risk of exploitation. Avoid using the icp parameter in the affected function until the issue is resolved.

Exploit

Fix

Special Elements Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-94

Related Identifiers

CVE-2025-14837

Affected Products

Zzcms

CVE-2025-14837

Weakness Enumeration

Related Identifiers

Affected Products

References · 11