{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mediapool-addon/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25353"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mediapool Addon"],"_cs_severities":["high"],"_cs_tags":["file-upload","web-application","code-execution"],"_cs_type":"threat","_cs_vendors":["Redaxo"],"content_html":"\u003cp\u003eRedaxo CMS is a content management system written in PHP. The Mediapool Addon, up to version 5.5.1, suffers from an arbitrary file upload vulnerability (CVE-2018-25353). Authenticated users with editor privileges can bypass file extension blacklist restrictions implemented within the Mediapool functionality. By uploading files with double extensions or other obfuscated file extensions (e.g., php71, php53), attackers can circumvent the blacklist and upload malicious PHP files. This allows them to execute arbitrary code on the web server. This vulnerability was reported on May 23, 2026, and poses a significant threat to Redaxo CMS installations that have not been patched.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid editor credentials for the Redaxo CMS.\u003c/li\u003e\n\u003cli\u003eAttacker logs into the Redaxo CMS administration panel.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Mediapool section.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to upload a malicious PHP file (e.g., webshell.php) through the Mediapool upload functionality.\u003c/li\u003e\n\u003cli\u003eThe CMS checks the file extension against a blacklist.\u003c/li\u003e\n\u003cli\u003eTo bypass the blacklist, the attacker renames the file with an obfuscated extension like \u0026ldquo;webshell.php71\u0026rdquo; or \u0026ldquo;webshell.php53\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe server accepts the file due to the bypassed extension check.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded file through a direct HTTP request (e.g., \u003ccode\u003ehttp://example.com/redaxo/media/webshell.php71\u003c/code\u003e), triggering the execution of the malicious PHP code on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants the attacker the ability to execute arbitrary PHP code on the Redaxo CMS web server. This can lead to complete compromise of the server, including data theft, website defacement, or further lateral movement within the network. Given that the vulnerable versions are relatively old, systems that have not been regularly updated are most at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Redaxo CMS Mediapool Addon to a version greater than 5.5.1 to patch CVE-2018-25353.\u003c/li\u003e\n\u003cli\u003eImplement stricter file extension validation on the server side, using a whitelist approach instead of a blacklist.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to unusual file extensions in the Mediapool directory using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement the second Sigma rule to detect file uploads with suspicious extensions to the Mediapool.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:42:11Z","date_published":"2026-05-26T13:42:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-redaxo-file-upload/","summary":"Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.","title":"Redaxo CMS Mediapool Addon Arbitrary File Upload Vulnerability (CVE-2018-25353)","url":"https://feed.craftedsignal.io/briefs/2026-05-redaxo-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Mediapool Addon","version":"https://jsonfeed.org/version/1.1"}