CVE-2025-55041 is a CSRF vulnerability affecting MuraCMS through version 10.1.10 in the Add To Group functionality within the user management module, specifically in the cUsers.cfc addToGroup method. The vulnerability arises because the function processes user-supplied parameters userId and groupId without validating a CSRF token, allowing attackers to craft malicious web requests that execute automatically when an authenticated administrator visits a malicious site. This lack of CSRF protection enables attackers to add arbitrary users to arbitrary groups without proper authorization checks. The underlying method getUserManager().createUserInGorup() (noting a likely typo in the function name) is directly invoked with attacker-controlled input. While the highest privilege group, Super Admins (s2 user), cannot be assigned via this exploit, attackers can still escalate privileges both horizontally (to other groups) and vertically (to admin-level groups). This means an attacker can elevate a low-privilege user to an admin or other sensitive group, compromising confidentiality, integrity, and availability of the CMS environment. No patch links or fixes are currently provided, and no known exploits are reported in the wild. The vulnerability was reserved in August 2025 and published in March 2026, but no CVSS score has been assigned yet. The absence of CSRF token validation in a critical user management function represents a fundamental security flaw that can be exploited via social engineering to compromise administrative accounts.

The impact of CVE-2025-55041 is significant for organizations using vulnerable versions of MuraCMS. Successful exploitation allows attackers to escalate privileges by adding users to sensitive groups, including admin groups, thereby gaining unauthorized administrative control over the CMS. This can lead to unauthorized content modification, user data exposure, creation or deletion of users, and potential full system compromise depending on the CMS deployment. Horizontal privilege escalation allows attackers to manipulate group memberships broadly, potentially disrupting organizational workflows and access controls. Although the highest privilege group (Super Admins) cannot be assigned, admin-level access is sufficient to cause severe damage. The attack requires an authenticated administrator to visit a malicious webpage, making social engineering or phishing a likely attack vector. Organizations with web administrators who have access to the CMS backend are at risk. The vulnerability undermines trust in the CMS platform, potentially leading to data breaches, defacement, or use of the CMS as a pivot point for further network intrusion. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability's nature makes it a high-value target for attackers once weaponized.

To mitigate CVE-2025-55041, organizations should immediately implement CSRF protections on the Add To Group functionality and all sensitive user management operations. This includes adding CSRF tokens that are validated server-side before processing requests. Restricting the ability to modify user group memberships to only the most trusted administrators and enforcing multi-factor authentication (MFA) for admin accounts can reduce risk. Administrators should be trained to recognize phishing and social engineering attempts to prevent inadvertent execution of malicious requests. Monitoring and logging of group membership changes should be enhanced to detect suspicious activity promptly. If possible, upgrade to a patched version of MuraCMS once available or apply custom patches to enforce authorization checks and CSRF validation. Network segmentation and web application firewalls (WAFs) can be configured to detect and block suspicious POST requests targeting the vulnerable endpoint. Regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities proactively.