A high-severity vulnerability has been identified in multiple Grav products, a file-based web platform. Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code on the server, leading to a complete system compromise. This could result in data theft, website defacement, or the installation of malware on the affected web server.

The vulnerability exists due to improper input sanitization within the file processing component of the Grav platform. An unauthenticated remote attacker can upload a specially crafted file (e.g., an image or markdown document containing embedded malicious code). When the Grav server processes this file, the malicious code is not properly neutralized and is executed with the permissions of the web server process, resulting in Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker full control over the affected web server, posing a significant risk to the organization. Potential consequences include the theft of sensitive data stored on the server, disruption of web services, reputational damage from a public-facing compromise, and financial losses associated with incident response and recovery. The compromised server could also be used as a pivot point to launch further attacks against the internal network.

Immediate Action:

• Identify all internet-facing systems running vulnerable versions of Grav products.
• Apply the security updates provided by the vendor immediately to mitigate the vulnerability.
• After patching, review web server access logs, application logs, and file systems for any indicators of compromise, such as suspicious file uploads or unexpected outbound network connections.

Proactive Monitoring:

• Monitor web server logs for unusual POST requests, especially those related to file uploads to unexpected endpoints.
• Implement file integrity monitoring (FIM) to alert on any unauthorized changes to Grav core files or content directories.
• Scrutinize outbound network traffic from the web server for connections to unusual IP addresses or ports, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block the specific attack patterns associated with this vulnerability.
• Restrict file upload functionality to trusted users only or temporarily disable it if the business function is non-essential.
• Ensure the web server is running with the principle of least privilege and is properly segmented from critical internal network resources to limit the potential impact of a breach.

Public Exploit Available: false

Due to the high CVSS score of 8.8 and the risk of Remote Code Execution, this vulnerability presents a critical threat to the organization. Although CVE-2025-66295 is not currently listed on the CISA KEV catalog, its severity makes it a prime target for opportunistic and targeted attacks. We strongly recommend that all system owners prioritize the immediate application of vendor-supplied patches to all affected Grav installations to prevent a potential system compromise.