External risk intelligence

Rox PHP Object Injection leading to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2025-34292

The vulnerability affects BeWelcome, which is designed as a web application platform. The vulnerable PHP entry points (POST parameters and cookies) are processed directly by the web application, making them accessible to any user interacting with the public-facing web interface.

Deserialization

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Rox, the software used by BeWelcome, could allow unauthorized users to execute arbitrary code on affected systems, potentially leading to a full site compromise. This issue arises from the software's handling of untrusted data during data deserialization processes, impacting user recovery functions and memory cookies.

  • Allows unauthorized code execution.
  • Could lead to full site compromise.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data to the BeWelcome web application. If the application processes a POST parameter named `formkit_memory_recovery` or reads a cookie named `bwRemember`, it might deserialize untrusted data. This deserialization process can lead to object injection, allowing an attacker to execute arbitrary code on the server or write files, ultimately compromising the entire site.

  • Requires authenticated access or public exposure.
  • Triggered by deserializing user-controlled input.
  • Risk of arbitrary file write or RCE.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unauthorized users could execute arbitrary code or write arbitrary files on the server by exploiting a PHP object injection vulnerability within Rox, the software running BeWelcome. This could lead to a complete compromise of the affected site.

  • Arbitrary code execution and file writes.
  • Exploiting deserialization of untrusted input.
  • Full site compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Rox, the software powering BeWelcome, requires a coordinated response. Application owners are responsible for identifying Rox instances, while infrastructure and security teams should confirm network exposure and business criticality. The first practical step is to locate all deployments, assess their reachability and importance, and then plan remediation, prioritizing critical and externally accessible systems.

  • Identify Rox instances and assess exposure.
  • Confirm ownership and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Rox software used for?

Rox is the underlying software framework that powers the BeWelcome platform. BeWelcome is a web-based community service, and Rox handles essential application logic, including data management and user session recovery, to keep the site functioning for its members.

What is PHP object injection in CVE-2025-34292?

This vulnerability is classified as CWE-502, which concerns deserialization of untrusted data. When the software automatically converts incoming data back into a software object, an attacker can supply a malicious, "serialized" object. This forces the server to create unexpected, harmful objects that can trigger unintended actions, such as running unauthorized code or modifying files on the server.

How is the vulnerability triggered?

The flaw is triggered when the application processes specific untrusted input from a user. This occurs when the system reads the 'formkit_memory_recovery' POST parameter or the 'bwRemember' browser cookie. Simply visiting the site without submitting these specific pieces of data does not initiate the risky deserialization process.

Is my instance at risk?

According to Halo Surface Signal, this vulnerability is considered externally accessible. Because BeWelcome is a web application platform, the vulnerable entry points are part of its public interface. If your instance is connected to the internet, it is exposed to these malicious inputs from remote sources.

What should I do if I run this technology?

Start by identifying all instances of the Rox software within your environment. Verify whether these instances are internet-facing and assess their criticality to your operations. Once identified, prioritize these systems for applying the official fix, which is available in commit c60bf04.

References