CVE-2025-66571 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting UNA CMS versions from 9.0.0-RC1 up to 14.0.0-RC4. The vulnerability arises from insecure handling of the profile_id POST parameter in the BxBaseMenuSetAclLevel.php script, where the input is passed directly to PHP's unserialize() function without adequate sanitization or validation. This unsafe deserialization allows remote attackers to craft malicious serialized PHP objects that, when unserialized, can trigger PHP object injection. Such injection can lead to arbitrary code execution, enabling attackers to execute commands, manipulate data, or take full control of the affected web server. The exploit requires no authentication or user interaction, making it highly accessible to attackers scanning for vulnerable UNA CMS instances. The vulnerability has a CVSS 4.0 score of 9.3, reflecting its critical impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the ease of exploitation and severity warrant immediate attention. The lack of official patches at the time of disclosure increases the urgency for organizations to implement temporary mitigations such as disabling vulnerable functionality or applying web application firewall (WAF) rules to detect and block malicious payloads.

For European organizations, the impact of CVE-2025-66571 is substantial. Exploitation can lead to complete compromise of UNA CMS-based websites, resulting in data breaches, defacement, unauthorized access to sensitive user information, and potential pivoting into internal networks. Public-facing UNA CMS installations used by businesses, government agencies, or critical infrastructure providers could be targeted for espionage, disruption, or ransomware deployment. The vulnerability's unauthenticated nature means attackers can exploit it at scale, increasing the risk of widespread incidents. Organizations relying on UNA CMS for community platforms, intranets, or customer portals face risks to their reputation and regulatory compliance, particularly under GDPR, due to potential personal data exposure. Additionally, service downtime caused by exploitation could disrupt operations and lead to financial losses.

Immediate mitigation steps include: 1) Applying official patches or updates from UNA CMS as soon as they become available. 2) If patches are unavailable, disable or restrict access to the vulnerable BxBaseMenuSetAclLevel.php functionality, especially the profile_id POST parameter handling. 3) Implement strict input validation and sanitization to prevent unserialize() from processing untrusted data. 4) Deploy Web Application Firewalls (WAFs) with custom rules to detect and block malicious serialized payloads targeting this vulnerability. 5) Conduct thorough code audits to identify and refactor any other unsafe unserialize() calls within the CMS or custom modules. 6) Monitor web server logs and network traffic for suspicious POST requests containing serialized PHP objects. 7) Educate development and security teams about the risks of unsafe deserialization and secure coding practices. 8) Consider isolating UNA CMS instances in segmented network zones to limit lateral movement if compromised.