Skip to content
Threat Feed
high threat

Redaxo CMS Mediapool Addon Arbitrary File Upload Vulnerability (CVE-2018-25353)

Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.

Redaxo CMS is a content management system written in PHP. The Mediapool Addon, up to version 5.5.1, suffers from an arbitrary file upload vulnerability (CVE-2018-25353). Authenticated users with editor privileges can bypass file extension blacklist restrictions implemented within the Mediapool functionality. By uploading files with double extensions or other obfuscated file extensions (e.g., php71, php53), attackers can circumvent the blacklist and upload malicious PHP files. This allows them to execute arbitrary code on the web server. This vulnerability was reported on May 23, 2026, and poses a significant threat to Redaxo CMS installations that have not been patched.

Attack Chain

  1. Attacker gains valid editor credentials for the Redaxo CMS.
  2. Attacker logs into the Redaxo CMS administration panel.
  3. Attacker navigates to the Mediapool section.
  4. Attacker attempts to upload a malicious PHP file (e.g., webshell.php) through the Mediapool upload functionality.
  5. The CMS checks the file extension against a blacklist.
  6. To bypass the blacklist, the attacker renames the file with an obfuscated extension like “webshell.php71” or “webshell.php53”.
  7. The server accepts the file due to the bypassed extension check.
  8. The attacker accesses the uploaded file through a direct HTTP request (e.g., http://example.com/redaxo/media/webshell.php71), triggering the execution of the malicious PHP code on the server.

Impact

Successful exploitation of this vulnerability grants the attacker the ability to execute arbitrary PHP code on the Redaxo CMS web server. This can lead to complete compromise of the server, including data theft, website defacement, or further lateral movement within the network. Given that the vulnerable versions are relatively old, systems that have not been regularly updated are most at risk.

Recommendation

  • Upgrade the Redaxo CMS Mediapool Addon to a version greater than 5.5.1 to patch CVE-2018-25353.
  • Implement stricter file extension validation on the server side, using a whitelist approach instead of a blacklist.
  • Monitor web server logs for requests to unusual file extensions in the Mediapool directory using the Sigma rule provided.
  • Implement the second Sigma rule to detect file uploads with suspicious extensions to the Mediapool.

Detection coverage 2

Detects CVE-2018-25353 Exploitation — Suspicious File Extension Access in Redaxo Mediapool

high

Detects CVE-2018-25353 exploitation — Access to files with suspicious extensions (e.g., php71, php53) within the Redaxo Mediapool directory.

sigma tactics: execution techniques: T1203 sources: webserver

Detects CVE-2018-25353 Attempt — Redaxo Mediapool File Upload with Suspicious Extension

medium

Detects CVE-2018-25353 attempt — File upload to Redaxo Mediapool directory with suspicious PHP-like extension in the filename.

sigma tactics: initial_access techniques: T1189 sources: webserver

Detection queries are available on the platform. Get full rules →