A critical vulnerability has been identified in multiple FoxCMS products, rated 9.8 out of 10. This flaw allows an attacker to execute arbitrary code on the server by manipulating template files through the administrator panel. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, and loss of control over the affected website.

The vulnerability exists within the template file editor located at admin/template_file/editFile.html. An authenticated attacker with administrative privileges can abuse this functionality to inject malicious server-side code (e.g., PHP) into a template file. When the application saves and subsequently renders this modified template, the injected code is executed on the server with the permissions of the web server process, leading to remote code execution (RCE).

This vulnerability is of critical severity with a CVSS score of 9.8, indicating a high likelihood of exploitation with a devastating impact. A successful attack would grant the adversary full control over the underlying web server. This could lead to severe business consequences, including the theft of sensitive data (customer information, payment details, intellectual property), website defacement causing significant reputational damage, and the use of the compromised server to launch further attacks against the organization's internal network or other external targets.

Immediate Action:

• Immediately apply the security patches provided by FoxCMS to upgrade all instances to a version higher than v1.2.5.
• If a patch is not yet available, restrict access to the /admin/ directory to trusted IP addresses at the network or web server level as a temporary measure.
• Review server access logs and file integrity for any signs of compromise, such as unexpected modifications to template files or suspicious outbound connections.

Proactive Monitoring:

• Monitor web server logs for unusual POST requests to the admin/template_file/editFile.html endpoint.
• Implement file integrity monitoring (FIM) on the web application directory to alert on unauthorized changes to template files (e.g., .html, .php, .tpl).
• Monitor network traffic for anomalous outbound connections from the web server, which could indicate a successful compromise and communication with a command-and-control (C2) server.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules designed to detect and block attempts to inject malicious code patterns into web requests.
• Disable the template file editing feature within the FoxCMS admin panel if it is not essential for business operations.
• Ensure the web server process runs with the lowest possible privileges to limit the impact of a potential code execution event.

Public Exploit Available: False

This vulnerability represents a critical risk to the organization and must be addressed with the highest priority. The potential for a full system compromise necessitates immediate action. We strongly recommend that all affected FoxCMS instances be patched immediately. Although this CVE is not currently listed on CISA's KEV catalog, its critical severity warrants treating it as an active and imminent threat. Organizations should assume it will be exploited and allocate resources for immediate remediation and post-patch verification.