CVE-2025-55041 is a Cross-Site Request Forgery (CSRF) vulnerability affecting MuraCMS versions up to 10.1.10, specifically in the Add To Group functionality within the user management module (cUsers.cfc addToGroup method). The vulnerability arises because the addToGroup method lacks CSRF token validation and directly processes user-supplied parameters userId and groupId via the getUserManager().createUserInGorup() function. This design flaw allows attackers to craft malicious web pages that, when visited by an authenticated administrator, automatically send forged requests to add arbitrary users to arbitrary groups without proper authorization checks. Although the vulnerability prevents adding users to the highest privilege Super Admins group (s2 user), it enables attackers to escalate privileges both horizontally (to other groups) and vertically (to administrative groups below Super Admins). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, requiring privileges and user interaction, with high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). No patches or known exploits are currently documented, but the risk is significant due to the potential for unauthorized privilege escalation and subsequent compromise of the CMS environment.

The impact of CVE-2025-55041 is substantial for organizations using vulnerable versions of MuraCMS, especially those relying on it for critical web content management and user administration. Successful exploitation allows attackers to escalate privileges by adding users to unauthorized groups, potentially granting them administrative capabilities short of the Super Admins group. This can lead to unauthorized access to sensitive data, modification or deletion of content, disruption of services, and further lateral movement within the organization’s infrastructure. The vulnerability undermines the integrity and confidentiality of the CMS and can facilitate persistent unauthorized access. Since exploitation requires an authenticated administrator to visit a malicious page, targeted phishing or social engineering attacks could be leveraged to trigger the exploit. Organizations with large user bases or complex group management are particularly at risk, as attackers can manipulate group memberships to bypass security controls. The absence of known exploits in the wild suggests a window for proactive mitigation, but the high CVSS score reflects the critical need for remediation to prevent potential compromise.

To mitigate CVE-2025-55041, organizations should implement the following specific measures: 1) Immediately review and restrict administrator access to trusted personnel and enforce strong authentication mechanisms to reduce the risk of compromised admin accounts. 2) Apply strict Content Security Policy (CSP) headers and SameSite cookie attributes to limit the ability of malicious sites to perform CSRF attacks. 3) Monitor and audit group membership changes regularly to detect unauthorized privilege escalations promptly. 4) If possible, upgrade MuraCMS to a version where this vulnerability is patched or apply custom patches that enforce CSRF token validation in the addToGroup method. 5) Educate administrators about the risks of visiting untrusted websites while logged into the CMS to reduce the likelihood of triggering CSRF attacks. 6) Implement web application firewalls (WAFs) with rules to detect and block suspicious CSRF-like requests targeting user management endpoints. 7) Employ multi-factor authentication (MFA) for administrator accounts to add an additional security layer. These targeted actions go beyond generic advice by focusing on the specific attack vector and vulnerable functionality.