Description
Vvveb CMS is vulnerable to code injection via the Code Editor functionality.
Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem, allowing remote authenticated attackers with access to the Code Editor to achieve code execution when those modified files are executed or served by the application or web server.
This vulnerability affects Vvveb CMS versions up to and including 1.0.5. Successful exploitation may result in the remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/vvveb_auth_rce_cve_2025_8518msf undefined(vvveb_auth_rce_cve_2025_8518) > show actions ...actions...msf undefined(vvveb_auth_rce_cve_2025_8518) > set ACTION < action-name >msf undefined(vvveb_auth_rce_cve_2025_8518) > show options ...show and set options...msf undefined(vvveb_auth_rce_cve_2025_8518) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub