Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10397

CVE-2025-10397: Maccms MacCMS SSRF Vulnerability

CVE-2025-10397 is a server-side request forgery flaw in Maccms MacCMS affecting the API Handler component. Attackers can exploit the cjurl parameter remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-10397 Overview

CVE-2025-10397 is a server-side request forgery (SSRF) vulnerability [CWE-918] in Magicblack MacCMS version 2025.1000.4050. The flaw resides in an unspecified function within the API Handler component. Attackers can manipulate the cjurl argument to coerce the application into issuing arbitrary outbound HTTP requests from the server.

The issue is remotely exploitable over the network but requires high privileges to trigger. A public exploit description has been published, increasing the likelihood of opportunistic use against exposed instances.

Critical Impact

Authenticated attackers can abuse the cjurl parameter to make the MacCMS server send HTTP requests to internal services, enabling reconnaissance of internal networks and potential interaction with non-public endpoints.

Affected Products

  • Magicblack MacCMS 2025.1000.4050
  • CPE: cpe:2.3:a:maccms:maccms:10.0:2025.1000.4050:*:*:*:*:*:*
  • Vendor: Magicblack (maccms)

Discovery Timeline

  • 2025-09-14 - CVE-2025-10397 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10397

Vulnerability Analysis

The vulnerability is classified as Server-Side Request Forgery under [CWE-918]. MacCMS exposes an API Handler endpoint that accepts a user-controlled cjurl argument. The application uses this value to perform a server-initiated HTTP request without sufficient validation of the destination URL.

Because the request originates from the MacCMS server, an attacker can target hosts and ports that are not reachable from the public internet. This includes internal web services, cloud metadata endpoints, and management interfaces bound to localhost or private network ranges.

The vulnerability requires authenticated access with high privileges, which limits the population of attackers but does not eliminate risk. Credential reuse, brute-force attacks on admin accounts, and compromised administrative sessions all provide viable paths to exploitation.

Root Cause

The root cause is missing validation and allow-listing on the cjurl parameter before it is passed to an HTTP client routine inside the API Handler. The handler trusts the supplied URL value and does not restrict the scheme, host, or destination port.

Attack Vector

An authenticated attacker submits a crafted request to the vulnerable API Handler endpoint with cjurl set to a target URL of their choice. The MacCMS backend then issues an outbound request to that URL and may return the response body, headers, or timing information to the attacker. Typical SSRF targets include http://127.0.0.1, RFC1918 ranges such as 10.0.0.0/8 and 192.168.0.0/16, and cloud instance metadata endpoints. No verified proof-of-concept code is available, so technical specifics should be confirmed against the public write-up on GitHub and the VulDB entry.

Detection Methods for CVE-2025-10397

Indicators of Compromise

  • Outbound HTTP requests from the MacCMS application server to internal IP ranges or localhost that do not match normal application behavior.
  • Web access logs containing requests to the API Handler with a cjurl parameter pointing to internal or metadata addresses.
  • Unexpected connections from the MacCMS host to cloud metadata services such as 169.254.169.254.

Detection Strategies

  • Inspect HTTP request logs for the cjurl parameter and flag values targeting private address space, loopback, or non-HTTP schemes.
  • Correlate web application logs with egress firewall logs to identify server-initiated requests that originate from MacCMS request handling.
  • Hunt for authenticated administrative sessions that invoke the API Handler from unusual source IPs or at atypical times.

Monitoring Recommendations

  • Enable verbose application logging for the MacCMS API Handler, including full query strings and outbound HTTP destinations.
  • Apply network egress monitoring on the MacCMS host to detect connections to internal subnets and cloud metadata endpoints.
  • Alert on repeated failed or anomalous cjurl request patterns that suggest enumeration of internal services.

How to Mitigate CVE-2025-10397

Immediate Actions Required

  • Restrict administrative access to MacCMS to trusted IP ranges and enforce multi-factor authentication on all high-privilege accounts.
  • Block outbound traffic from the MacCMS server to internal management networks and cloud metadata endpoints at the network layer.
  • Audit recent administrative activity and API Handler usage for signs of exploitation.

Patch Information

No vendor advisory or patch has been linked in the public CVE record at the time of writing. Monitor the VulDB entry for CVE-2025-10397 and the Magicblack project channels for an official fix. Until a patch is released, treat the deployment as exposed and apply the workarounds below.

Workarounds

  • Place the MacCMS application behind a reverse proxy that strips or validates the cjurl parameter against an allow-list of permitted external hosts.
  • Run the MacCMS process under a network policy that denies access to RFC1918 ranges, 127.0.0.0/8, and 169.254.169.254 unless explicitly required.
  • Rotate administrator credentials and review session tokens to reduce the risk of high-privilege accounts being abused for SSRF.
bash
# Example egress restriction using iptables to block SSRF targets from the MacCMS host
iptables -A OUTPUT -d 127.0.0.0/8 -p tcp -m owner --uid-owner www-data -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp -m owner --uid-owner www-data -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -p tcp -m owner --uid-owner www-data -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp -m owner --uid-owner www-data -j REJECT
iptables -A OUTPUT -d 169.254.169.254 -p tcp -m owner --uid-owner www-data -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne