CVE-2025-15375 is a deserialization vulnerability found in EyouCMS, a content management system, affecting versions 1.7.0 through 1.7.7. The flaw resides in the unserialize function located in the file application/api/controller/Ajax.php, specifically within the arcpagelist handler component. The vulnerability arises from unsafe deserialization of user-controllable input passed via the 'attstr' argument. Deserialization vulnerabilities can allow attackers to manipulate serialized data to execute arbitrary code, escalate privileges, or cause denial of service, depending on the context and the deserialized objects. In this case, the attack vector is remote and does not require authentication or user interaction, increasing the risk of exploitation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, meaning low privileges), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vendor has acknowledged the vulnerability and is preparing a patch in version 1.7.8. Although an exploit has been published, there are no confirmed reports of active exploitation in the wild. This vulnerability highlights the risks of unsafe deserialization in web applications, especially CMS platforms that process user input for dynamic content generation.

The potential impact of CVE-2025-15375 includes unauthorized access to sensitive information, data tampering, and service disruption within affected EyouCMS installations. Because the vulnerability allows remote exploitation without authentication or user interaction, attackers can leverage it to compromise the confidentiality, integrity, and availability of CMS-managed websites. This could lead to defacement, data leakage, or partial denial of service, affecting the trustworthiness and availability of web services. Organizations relying on EyouCMS for content delivery or business operations may face reputational damage, loss of customer trust, and potential regulatory consequences if sensitive data is exposed. However, the impact is rated medium due to the limited scope of the vulnerability's effects and the requirement for low privileges rather than full administrative access. The absence of confirmed widespread exploitation reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits are publicly available.

To mitigate CVE-2025-15375, organizations should promptly upgrade EyouCMS to version 1.7.8 or later once it is released by the vendor. Until the patch is applied, implement strict input validation and sanitization on the 'attstr' parameter to prevent malicious serialized data from being processed. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads targeting the arcpagelist handler. Monitor application logs for unusual activity related to the Ajax.php endpoint, including unexpected unserialize calls or malformed input patterns. Restrict access to the vulnerable API endpoint where feasible, limiting exposure to trusted networks or IP addresses. Conduct regular security assessments and code reviews focusing on deserialization usage to identify and remediate similar issues proactively. Additionally, consider deploying runtime application self-protection (RASP) solutions that can detect and block deserialization attacks in real time. Educate development teams on secure coding practices to avoid unsafe deserialization in future releases.