CVE-2025-15394 is a remote code injection vulnerability identified in iCMS up to version 8.0.0, specifically within the Save function of the app/config/ConfigAdmincp.php file. The vulnerability stems from improper sanitization and validation of the POST parameter 'config' handled by the POST Parameter Handler component. An attacker can manipulate this parameter to inject malicious code, which the system then executes, leading to arbitrary code execution on the server. The attack can be launched remotely over the network without requiring user interaction; however, it requires high privileges (PR:H) according to the CVSS 4.0 vector, indicating that the attacker must have some level of authenticated access or elevated rights to exploit the vulnerability. The CVSS score of 5.1 (medium severity) reflects the balance between ease of exploitation and impact. The vendor was contacted early but has not responded or provided a patch, and public exploit code is now available, increasing the risk of exploitation by threat actors. This vulnerability can compromise confidentiality, integrity, and availability of affected systems by allowing attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, or service disruption. The lack of a patch and public exploit availability make timely mitigation critical.

For European organizations, the impact of CVE-2025-15394 can be significant, especially for those relying on iCMS 8.0.0 for content management or administrative functions. Successful exploitation could lead to unauthorized code execution, enabling attackers to gain control over web servers, access sensitive data, modify or delete content, and disrupt services. This could affect government agencies, financial institutions, healthcare providers, and enterprises using iCMS for critical operations. The medium severity rating suggests moderate risk; however, the presence of public exploits and no vendor patch increases the likelihood of attacks. Organizations with internet-facing iCMS administrative interfaces are particularly vulnerable. The breach of confidentiality and integrity could result in regulatory non-compliance under GDPR, financial losses, reputational damage, and operational downtime. The requirement for high privileges to exploit may limit exposure to some extent but does not eliminate risk, especially if credential compromise or insider threats exist.

1. Immediately restrict access to the iCMS administrative interface and specifically to the Save function in app/config/ConfigAdmincp.php by implementing network-level controls such as IP whitelisting or VPN-only access. 2. Monitor web server logs for unusual POST requests targeting the 'config' parameter, looking for anomalous or malformed payloads indicative of code injection attempts. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious POST parameter manipulations related to this vulnerability. 4. Conduct a thorough audit of user privileges to ensure that only trusted administrators have high-level access, reducing the risk of exploitation requiring elevated rights. 5. Isolate and segment systems running iCMS to limit lateral movement in case of compromise. 6. Regularly back up critical data and configurations to enable recovery in case of an incident. 7. Engage with the vendor or community for updates and patches; apply any security updates promptly once available. 8. Consider temporary disabling or replacing the vulnerable component if feasible until a patch is released. 9. Educate administrators on the risks and signs of exploitation to enhance detection and response capabilities.