A critical remote code execution vulnerability has been identified in Badaso CMS, assigned CVE-2025-52353 with a CVSS score of 9.8. This flaw allows an authenticated attacker to upload a malicious file and execute arbitrary code, potentially leading to a full compromise of the web server. This could result in data theft, service disruption, and further unauthorized access into the network.

The vulnerability exists within the Media Manager component of Badaso CMS. The file upload functionality fails to properly sanitize and validate uploaded files, allowing an authenticated user to bypass content-type restrictions. An attacker can upload a file containing executable PHP code (e.g., a web shell disguised as an image file) to the server. By subsequently accessing the uploaded file's URL, the attacker can trigger the server to execute the embedded code, resulting in remote code execution with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the affected web server. The potential consequences include, but are not limited to, exfiltration of sensitive company or customer data, deployment of ransomware, defacement of the website, complete service disruption, and using the compromised server as a foothold to launch further attacks against the internal network. The direct business risks include significant financial loss, reputational damage, and potential regulatory penalties for data breaches.

Immediate Action: Immediately update all instances of Badaso CMS to the latest version provided by the vendor to patch this vulnerability. Before and after patching, it is crucial to monitor for any signs of exploitation that may have already occurred by reviewing web server access logs, system files, and running processes.

Proactive Monitoring:

• Review web server access logs for suspicious requests to the file-upload endpoint and any direct requests to non-standard files (e.g., .php, .phtml) within media upload directories.
• Monitor for any unexpected outbound network connections originating from the web server.
• Implement file integrity monitoring on the web server to detect the creation of unauthorized files in web-accessible directories.
• Check for unexpected processes running under the web server's user account (e.g., www-data, apache).

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Restrict administrative access to the Badaso CMS panel, particularly the Media Manager, to trusted IP addresses only.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious file uploads.
• If the file upload functionality is not critical, temporarily disable it until the patch can be applied.
• Ensure the web server process runs with the principle of least privilege, with no execute permissions in upload directories.

Public Exploit Available: Not publicly known as of the date of this report.

Given the critical severity of this remote code execution vulnerability, immediate patching is the highest priority for all systems running the affected versions of Badaso CMS. A successful exploit would allow a low-privileged authenticated user to gain complete control over the server, posing a severe and direct threat to the organization. Although this vulnerability is not currently on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion. We strongly recommend organizations apply the vendor-supplied patches immediately and hunt for any evidence of prior compromise.