critical advisory March 31, 2026

baserCMS Pre-Auth Arbitrary Code Execution via Zip Upload (CVE-2025-32957)

baserCMS versions prior to 5.2.3 are vulnerable to arbitrary code execution via a crafted zip file upload through the restore function, leading to unauthenticated remote command execution on the webserver.

baserCMS, a website development framework, contains an arbitrary code execution vulnerability in versions prior to 5.2.3. The vulnerability, identified as CVE-2025-32957, lies within the application’s restore function. This function allows users, including potentially unauthenticated users depending on configuration, to upload a .zip file. The uploaded archive is automatically extracted by the application. A PHP file within the extracted archive is then included using require_once without…

Detection coverage 2

Detect baserCMS Restore Function Access

medium

Detects access to the baserCMS restore function, potentially indicating an attempted exploit of CVE-2025-32957.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect PHP Execution from Temporary Directory (baserCMS Exploit)

high

Detects PHP execution from a temporary directory, which might indicate exploitation of CVE-2025-32957 in baserCMS.

sigma tactics: execution techniques: T1059.001 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

url