External risk intelligence

Saurus CMS SQL Injection Vulnerability Allows Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-50567

The vulnerability exists in a Content Management System (CMS). CMS platforms are commonly deployed as internet-facing web applications intended to be accessible to public users or administrators over the network, making the vulnerable code path frequently exposed.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Saurus CMS Community Edition, specifically within its database query preparation function. The flaw allows for the injection of malicious SQL statements, which could result in unauthorized code execution on affected systems. The main concern is confirming if this technology is in use and understanding its potential exposure.

  • Flaw allows code execution on CMS.
  • Unauthenticated access could compromise systems.
  • Verify Saurus CMS use and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target Saurus CMS Community Edition by sending specially crafted input to the custom `DB::prepare()` function. This function, which incorrectly uses a deprecated `preg_replace()` feature, allows the attacker to inject malicious SQL statements. Successful injection can lead to the execution of arbitrary PHP code on the server.

  • No authentication needed.
  • Inject SQL via `DB::prepare()` function.
  • Leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL statements through the `DB::prepare()` function. When supported, this could lead to the execution of arbitrary PHP code on the server, potentially impacting system data and service behavior.

  • Server data and configuration at risk.
  • SQL injection via network access.
  • Arbitrary PHP code execution possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Saurus CMS Community Edition requires a coordinated response. Application owners are responsible for managing the CMS, while infrastructure and platform teams support its underlying environment. Network and security teams must assess exposure and potential impact, and vendor management should engage with Saurus to understand their remediation roadmap. The immediate first step is to inventory all Saurus CMS instances, determine their internet-facing status and business criticality, and identify the accountable system owner for each.

  • Application owners, platform teams, and security.
  • Verify CMS reachability and business criticality.
  • Plan risk-based remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Saurus CMS Community Edition?

Saurus CMS Community Edition is a web-based content management system used to build and maintain websites. It functions as a platform for managing digital content and is often hosted on servers to allow administrative or public access over the internet.

What does CWE-89 and CWE-94 mean for CVE-2025-50567?

These codes represent specific security weaknesses. CWE-89 refers to SQL injection, where untrusted data interferes with database queries. CWE-94 involves code injection, where an attacker can execute unauthorized instructions. In this CVE, the CMS improperly handles data in a way that allows a database query to trigger the execution of malicious server-side PHP code.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending specially crafted input to the CMS that is processed by the DB::prepare() function. The flaw relies on this specific function to interpret the input. If the input is not processed through this vulnerable database preparation component, the specific code execution path described in this CVE is not triggered.

Is my instance of Saurus CMS at risk?

Halo Surface Signal indicates that CMS platforms are typically deployed as internet-facing applications, increasing the likelihood of exposure to remote attackers. If your instance is reachable over the network, it is considered more accessible to potential threats compared to internal-only systems, necessitating a review of its current network configuration.

What should I do if I run this software?

Your first step is to create a complete inventory of all Saurus CMS instances within your environment. Determine which systems are internet-facing versus those restricted to internal networks, identify the system owners for each, and engage with the vendor to monitor for available updates or guidance on securing the affected DB::prepare() function.

References