Platform
php
Component
pegasus-cms
Fixed in
1.0.1
CVE-2019-25687 represents a critical Remote Code Execution (RCE) vulnerability discovered in Pegasus CMS. This flaw allows unauthenticated attackers to execute arbitrary commands on a vulnerable system, potentially leading to complete system compromise. The vulnerability affects versions 1.0.0 through 1.0, and a fix is pending release from the vendor.
The impact of CVE-2019-25687 is severe. An attacker can exploit this vulnerability to execute arbitrary code on the server hosting the Pegasus CMS installation. This could involve gaining remote command execution, uploading and executing malicious files, stealing sensitive data (including database credentials and user information), and potentially pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers. The use of eval without proper sanitization is a common pattern exploited in similar vulnerabilities, such as those seen in PHP-based applications.
CVE-2019-25687 was publicly disclosed on 2026-04-05. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the critical severity make it a high-priority target. The vulnerability's reliance on eval mirrors patterns seen in other RCE vulnerabilities, suggesting potential for automated scanning and exploitation. It is not currently listed on the CISA KEV catalog, but its severity warrants monitoring.
Exploit Status
EPSS
0.39% (60% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a readily available patch, immediate mitigation strategies are crucial. The primary focus should be on preventing exploitation. Implement strict input validation on the action parameter of the submit.php endpoint to prevent malicious code injection. Disabling the eval function entirely within the extra_fields.php plugin is a highly effective, albeit potentially disruptive, workaround. Consider using a Web Application Firewall (WAF) with rules to detect and block suspicious POST requests targeting the submit.php endpoint. After a patch is released, upgrade Pegasus CMS to the fixed version immediately. Verify the upgrade by attempting to trigger the vulnerability via the submit.php endpoint and confirming that the request is rejected.
Update to a secure version of Pegasus CMS that fixes the remote code execution vulnerability in the extra_fields.php file. Check the official Pegasus CMS sources for information on available updates and installation instructions. As a preventative measure, disable the extra_fields.php plugin until a secure update can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25687 is a critical Remote Code Execution vulnerability in Pegasus CMS versions 1.0.0–1.0, allowing attackers to execute arbitrary commands without authentication.
If you are running Pegasus CMS version 1.0.0–1.0 and have not applied a patch, you are vulnerable to this RCE vulnerability.
Upgrade to a patched version of Pegasus CMS as soon as it becomes available. Until then, implement input validation and disable the eval function in extra_fields.php.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-priority target for attackers.
Refer to the Pegasus CMS website or security mailing lists for official advisories and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.