Description

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

INFO

Published Date :

2025-08-26T00:00:00.000Z

Last Modified :

2025-08-28T16:31:44.060Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-52353 vulnerability.

Vendors Products
Uatech
  • Badaso
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-52353.

URL Resource
https://github.com/uasoft-indonesia/badaso cve-icon cve-icon
https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact