Post

Dive into CVE-2025-65271

CVE-2025-65271 is an Azuriom CMS 8.8 high severity vulnerability

Posted
By Ficello
2 min read
Dive into CVE-2025-65271

Whats Azuriom CMS?

Azuriom CMS is an easy website builder made in PHP for game servers administrators who doesn’t want to make a website from scratch, if you have a minecraft server, gmod server etc… then you can connect your game server to the website.

CVE Overview

The CVE description is the following: Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator’s session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Technical Details

Before getting into the real impact we need to know how is the vulnerability working. The vulnerability works because of petite-vue being mounted on the whole document element (fun fact: this behavior isn’t documented). The fix for this vulnerability is this commit, adding a v-scope completely fixed the issue.

I am not responsible for any actions taken by others using this PoC. I have provided it for research and security testing purposes only. I explicitly discourage any illegal or unethical use including unauthorized hacking or exploitation of systems. Use at your own risk and in compliance with applicable laws.

Exploiting time

So now that we know the whole admin dashboard is affected by a csti how can we really exploit this? let’s try a simple csti payload with the notification feature (send a notification to everyone) located on the users tab

Send notification
click on send and let’s see how the notification looks like…
notification
we can see “49” which means the CSTI works well, ok cool we can send malicious notifications but how can a low privilege user steal an administrator account? if you don’t have access to the admin panel at all… Plugins are the answer! one of the most popular plugin is the support one, after downloading the plugin I made a new user with really low privilege (no admin dashboard at all) and then opened a fake ticket
fake ticket
the admin will see the ticket as the following
admin
admin
but in reality I just made a new admin account by using my PoC pwned

Impact

  • Being admin on the game server and the website
  • RCE? (depends on the plugins)

Patches

  • Always use a good WAF to prevents malicious payloads even if the website is vulnerable
  • Update to Azuriom 1.2.7
    and that’s all! thanks for reading
CVE
web
This post is licensed under CC BY 4.0 by the author.

Trending Tags

game reverse-engineering web