Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.28.6
0.28.5.0
CVE-2026-25510 is a critical Remote Code Execution (RCE) vulnerability discovered in ci4-cms-erp/ci4ms. This flaw allows authenticated users with file editor permissions to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of ci4ms up to and including 0.28.4.0, and a patch is available in version 0.28.5.0.
The impact of CVE-2026-25510 is severe. An attacker exploiting this vulnerability can gain full control over the affected CI4MS server. This includes the ability to read, modify, and delete any files accessible to the webserver user. Attackers could install malware, steal sensitive data (customer information, financial records, etc.), or use the compromised server as a launchpad for further attacks against other systems on the network. The unrestricted file creation capability makes exploitation relatively straightforward for an authenticated user.
CVE-2026-25510 was publicly disclosed on 2026-02-02. No public proof-of-concept (PoC) code has been widely reported at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. The vulnerability is not currently listed on CISA KEV, and its exploitation probability is considered medium due to the ease of exploitation and the potential impact.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25510 is to immediately upgrade to version 0.28.5.0 or later. If upgrading is not immediately feasible, consider restricting file editor permissions to only trusted users. Implement strict input validation on all file creation and save endpoints to prevent the upload of malicious PHP files. Web Application Firewalls (WAFs) configured to detect and block PHP file uploads to web-accessible directories can provide an additional layer of defense. Monitor file system activity for unexpected PHP file creations.
Update ci4ms to version 0.28.5.0 or higher. This version contains a fix for the remote code execution vulnerability. The update will prevent authenticated users with file editor permissions from executing arbitrary PHP code on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25510 is a critical Remote Code Execution vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.4.0, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using ci4-cms-erp/ci4ms version 0.28.4.0 or earlier.
Upgrade to version 0.28.5.0 or later to address the vulnerability. If immediate upgrade is not possible, restrict file editor permissions and implement input validation.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the official ci4-cms-erp project's release notes or security advisories for details on the fix and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.