External risk intelligence

FoxCMS Sitemap Controller Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-25789

FoxCMS is a content management system, which is typically deployed as an internet-facing web application. The vulnerability resides in the sitemap controller, a component that is fundamentally intended to be accessible to the public internet and search engine crawlers.

Code Injection

Foxcms

1.2.5

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability discovered in FoxCMS, a content management system. The flaw could allow unauthorized remote code execution, potentially impacting the integrity and availability of systems running this software. The primary concern at this stage is to confirm if FoxCMS is in use and if it is exposed to the internet.

  • Code execution vulnerability in content management software.
  • Allows attackers to run unauthorized code remotely.
  • Confirm FoxCMS usage and internet exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a vulnerability in the sitemap functionality of FoxCMS by sending a specially crafted request to the index() method. This method, located in the controller/Sitemap.php file, is exposed without requiring authentication and can be accessed over the network. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a compromise of the entire system.

  • No authentication needed to access.
  • Triggered by a network-request to the sitemap.
  • Risk of remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in the sitemap controller of FoxCMS could allow an unauthenticated attacker to execute arbitrary code remotely. This could happen when the index() method in Sitemap.php is accessed, potentially affecting the integrity and availability of the entire system.

  • System code execution is at risk.
  • Attacker exploits index() method remotely.
  • Complete system compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The presence of a critical remote code execution vulnerability in FoxCMS's sitemap controller necessitates immediate action from teams responsible for web application security and content management systems. The first practical step involves identifying all instances of FoxCMS, confirming their exposure and business criticality, and then assigning an accountable owner for remediation planning.

  • Application owners should address this issue.
  • Verify external reachability and business impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FoxCMS?

FoxCMS is a content management system used to organize and publish digital content. It acts as the backend engine for websites, allowing administrators to manage pages and assets. Because it is designed to serve web content, it typically runs on servers that communicate directly with the internet to support visitors and search engine indexing.

What does CVE-2025-25789 mean for my software?

This CVE represents a flaw classified as CWE-94, or Improper Control of Generation of Code. In plain terms, the application fails to properly sanitize inputs, allowing an attacker to inject and execute their own unauthorized commands on the underlying server. It is a critical remote code execution vulnerability, meaning an attacker could gain control over the system without needing a password or user account.

How is this vulnerability triggered?

The flaw is triggered when an attacker sends a specially crafted network request to the index method within the Sitemap.php controller. Because this controller is designed to handle public-facing site mapping, it does not require authentication to access. Normal, legitimate requests to the sitemap that do not contain malicious code do not trigger the vulnerability; only requests specifically designed to exploit the input handling of the index method are dangerous.

Why is this considered a relevant threat?

According to Halo Surface Signal, FoxCMS is typically deployed as an internet-facing application. Since the vulnerable sitemap controller is meant to be accessible to the public internet and search engine crawlers, the path to the vulnerability is open by design. Systems that are reachable from the internet are at a much higher risk than those isolated on a private, internal-only network.

What should I do if I run FoxCMS?

Your first priority is to locate all instances of FoxCMS running in your environment. Once identified, evaluate whether each instance is exposed to the public internet and determine its role in your business operations. Assign an owner to each instance to prioritize these systems for remediation planning and to ensure they are protected from unauthorized remote access.

References