[2025.04 Vulnerability Report] FOXCMS Qianhu Remote Code Execution(CVE-2025-29306)
CVE-2025-29306 is a vulnerability that can pose a serious security threat to organizations using FoxCMS.
An attacker can exploit this vulnerability to gain complete control of the system, which can result in data leakage, service interruption, etc. Therefore, prompt patching and security enhancement measures are required for this vulnerability.
Our AIWAF product develops patterns to respond to vulnerabilities occurring within web components, and we will also respond promptly to related vulnerabilities that are discovered in the future.
1. Overview
FOXCMS is a free and open-source website management system that uses a PHP+ MySQL architecture, and we analyzed a Remote Code Execution vulnerability in the system's Qianhu content management system.
2. Attack Type
CVE-2025-29306 is a Remote Code Execution (RCE) vulnerability found in FoxCMS version 1.2.5. The vulnerability occurs in the case display page of the index.html component and could allow a remote attacker to execute malicious code to take full control of the system. This could result in a serious security threat, including the disclosure of confidential information, compromise of system integrity, or service disruption.
- Inject malicious code into a specific parameter (such as CASE or ID) in the web interface.
- The server passes the value directly to a function such as eval() or include() without filtering and processes it.
- This results in PHP code execution, which could allow an attacker to remotely execute system commands or obtain a shell.
- ex)
-
GET /index.php?page=display&case=<?php system('id'); ?> HTTP/1.1 Host: vulnerable-foxcms.site User-Agent: Mozilla/5.0 Connection: close - The <?php system(‘id’); ?> code inserted in the case parameter will cause the id command to be executed and output system user information if the server processes it as is.
- If you change the system command, you can also reverse shell, upload a webshell, or install a backdoor.
-
3. What to do
You should promptly apply security patches provided by the FoxCMS developer to quickly fix any vulnerabilities that currently exist. You should also tighten access controls on your web application to effectively prevent unauthorized access by unauthorized users.
Security threats such as malicious code injection should be prevented by performing thorough validation on all values input from users. It's also important to have a web application firewall (WAF) and intrusion detection system (IDS) in place to monitor and respond quickly to anomalous traffic in real time.
In addition, our AIWAF product responds to this vulnerability via the 306: Arbitrary Code Execution pattern.
4. Conclusion
CVE-2025-29306 is a vulnerability that could pose a serious security threat to organizations using FoxCMS.
An attacker could exploit this vulnerability to gain full control of the system, which could result in data exfiltration, service disruption, and more. Therefore, it is imperative to quickly patch and harden against this vulnerability.
In our AIWAF product, we have developed patterns to respond to vulnerabilities that occur within web components, and we will continue to respond quickly to related vulnerabilities as they are discovered.
