Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64050

CVE-2025-64050: Redaxo CMS RCE Vulnerability

CVE-2025-64050 is a remote code execution vulnerability in Redaxo CMS 5.20.0 that allows authenticated administrators to inject PHP code into templates. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64050 Overview

CVE-2025-64050 is a Remote Code Execution (RCE) vulnerability in the template management component of REDAXO CMS version 5.20.0. Authenticated administrators can inject arbitrary PHP code into an active template. The payload executes when any frontend visitor loads a page rendered with the compromised template, granting attackers command execution under the web server account.

The flaw is classified under CWE-94: Improper Control of Generation of Code. It affects content management workflows where template editing is exposed to administrative users.

Critical Impact

Successful exploitation results in arbitrary operating system command execution on the server hosting REDAXO, compromising confidentiality, integrity, and availability of the affected web application.

Affected Products

  • REDAXO CMS 5.20.0
  • REDAXO template management component
  • Web applications built on the affected REDAXO release

Discovery Timeline

  • 2025-11-25 - CVE-2025-64050 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64050

Vulnerability Analysis

The vulnerability resides in REDAXO CMS 5.20.0's template management interface. Templates in REDAXO are rendered as PHP, and the application stores administrator-supplied template content for later inclusion during page rendering. The template management component fails to restrict or sanitize PHP code injected into template bodies.

An attacker who holds administrator credentials can save a template containing arbitrary PHP statements. When the application renders a frontend page that references the modified template, the injected PHP executes inside the web server process. This converts a stored configuration object into a server-side code execution primitive.

Because execution is triggered by unauthenticated frontend visitors, the attacker does not need to revisit the admin panel to detonate the payload. The vulnerability is tracked as exploitable over the network with low complexity, but requires high privileges to plant the payload.

Root Cause

The root cause is improper control of code generation [CWE-94]. The template editor treats administrator input as trusted PHP source and writes it to a file or storage location that is later included or evaluated during request handling. There is no segregation between template markup and executable code, and no policy preventing privileged users from introducing arbitrary PHP constructs.

Attack Vector

Exploitation requires the following preconditions: a reachable REDAXO 5.20.0 instance, valid administrator credentials, and an active template that is referenced by at least one frontend page. The attacker authenticates to the admin panel, edits an active template, and embeds PHP code that invokes functions such as system, exec, passthru, or shell_exec.

Once saved, the payload is dormant in the database until the next frontend page load using that template. Any visitor accessing the affected URL triggers execution, providing the attacker with output retrieval through HTTP responses or out-of-band channels. Refer to the CVE-2025-64050 disclosure for technical details.

Detection Methods for CVE-2025-64050

Indicators of Compromise

  • Unexpected modifications to records in the REDAXO templates table, particularly outside of routine change-management windows.
  • Presence of PHP function calls such as system(, exec(, passthru(, shell_exec(, eval(, or base64_decode( inside template bodies.
  • Outbound network connections initiated by the web server process (php-fpm or Apache) to unfamiliar hosts following template edits.
  • New files, web shells, or cron entries created under the web root or REDAXO data directories.

Detection Strategies

  • Audit REDAXO administrator activity logs for template/edit actions and correlate timestamps with template content changes.
  • Inspect template storage for PHP tokens that should not appear in legitimate markup, such as backtick operators or process-spawning functions.
  • Monitor web server processes for child processes spawning shells (/bin/sh, bash, cmd.exe) immediately after HTTP requests to frontend pages.

Monitoring Recommendations

  • Enable file integrity monitoring on REDAXO template directories and configuration files.
  • Forward web server, PHP, and REDAXO audit logs to a centralized analytics pipeline for retention and correlation.
  • Alert on administrator authentications from new geolocations or unusual user agents that precede template modifications.

How to Mitigate CVE-2025-64050

Immediate Actions Required

  • Upgrade REDAXO to a release later than 5.20.0 once a fixed version is published by the maintainers; track the REDAXO repository for advisories.
  • Rotate all administrator credentials and invalidate active sessions on REDAXO instances.
  • Review every active template for unauthorized PHP code and restore from a known-good backup if tampering is suspected.
  • Restrict admin panel access to trusted networks using IP allowlists, VPN, or reverse proxy authentication.

Patch Information

No vendor patch was referenced in the NVD entry at the time of publication. Administrators should monitor the official REDAXO GitHub repository and the CVE-2025-64050 disclosure record for fix availability. Until a patched release is installed, treat any REDAXO 5.20.0 deployment with internet-exposed admin interfaces as high risk.

Workarounds

  • Limit the number of accounts with the administrator role and enforce multi-factor authentication on those accounts.
  • Place the REDAXO admin panel behind a reverse proxy that enforces additional authentication or source IP restrictions.
  • Run the PHP runtime with disable_functions configured to block system, exec, passthru, shell_exec, and proc_open where the application does not require them.
  • Deploy a web application firewall ruleset that inspects template editor POST bodies for PHP tags and shell command tokens.
bash
# Example php.ini hardening to reduce RCE impact
disable_functions = system,exec,passthru,shell_exec,proc_open,popen,pcntl_exec
open_basedir = /var/www/redaxo:/tmp
allow_url_include = Off
expose_php = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne