Platform
php
Component
08cms-novel-system
Fixed in
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
A code injection vulnerability has been identified in 08CMS Novel System versions 3.0 to 3.4. This flaw resides within the component's Template Handler, specifically the file admina/mtpls.inc.php, allowing attackers to inject and potentially execute malicious code. The vulnerability is remotely exploitable and has been publicly disclosed, increasing the risk of immediate exploitation. A patch is available in version 3.4.1.
Successful exploitation of CVE-2025-15250 allows an attacker to inject and execute arbitrary code on the affected server. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The attacker could potentially gain control of the entire 08CMS Novel System installation, impacting any sensitive data stored within the system, such as user credentials, novel content, or administrative settings. Given the remote accessibility of the vulnerability, the blast radius extends to anyone with network access to the server.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While no specific active campaigns have been reported, the availability of public information makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but its public disclosure warrants close monitoring. The ease of exploitation suggests a medium probability of exploitation.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15250 is to immediately upgrade 08CMS Novel System to version 3.4.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the vulnerable admina/mtpls.inc.php file. Additionally, restrict access to the admin panel using strong authentication and network segmentation to limit potential damage. Monitor system logs for suspicious activity related to file uploads or code execution.
Update to a patched version of 08CMS Novel System that addresses the code injection (code injection) vulnerability. If a patched version is not available, consider disabling or removing the Template Handler component (admina/mtpls.inc.php) until a solution can be applied. Consult the provided references for more details and possible mitigations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15250 is a code injection vulnerability affecting 08CMS Novel System versions 3.0 through 3.4, allowing attackers to execute arbitrary code via the admina/mtpls.inc.php file.
If you are running 08CMS Novel System versions 3.0, 3.1, 3.2, 3.3, or 3.4, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade 08CMS Novel System to version 3.4.1 or later to patch this vulnerability. As a temporary workaround, implement a WAF rule to block requests to admina/mtpls.inc.php.
While no confirmed active campaigns are currently reported, the public disclosure of this vulnerability increases the risk of exploitation.
Refer to the 08CMS Novel System official website or security advisory channels for the latest information and updates regarding CVE-2025-15250.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.