Mediapool Addon — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/mediapool-addon/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 13:42:11 +0000Redaxo CMS Mediapool Addon Arbitrary File Upload Vulnerability (CVE-2018-25353)https://feed.craftedsignal.io/briefs/2026-05-redaxo-file-upload/Tue, 26 May 2026 13:42:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-redaxo-file-upload/Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability (CVE-2018-25353) that allows authenticated users to bypass file extension blacklist restrictions, leading to arbitrary code execution.Redaxo CMS is a content management system written in PHP. The Mediapool Addon, up to version 5.5.1, suffers from an arbitrary file upload vulnerability (CVE-2018-25353). Authenticated users with editor privileges can bypass file extension blacklist restrictions implemented within the Mediapool functionality. By uploading files with double extensions or other obfuscated file extensions (e.g., php71, php53), attackers can circumvent the blacklist and upload malicious PHP files. This allows them to execute arbitrary code on the web server. This vulnerability was reported on May 23, 2026, and poses a significant threat to Redaxo CMS installations that have not been patched.

Attack Chain

  1. Attacker gains valid editor credentials for the Redaxo CMS.
  2. Attacker logs into the Redaxo CMS administration panel.
  3. Attacker navigates to the Mediapool section.
  4. Attacker attempts to upload a malicious PHP file (e.g., webshell.php) through the Mediapool upload functionality.
  5. The CMS checks the file extension against a blacklist.
  6. To bypass the blacklist, the attacker renames the file with an obfuscated extension like “webshell.php71” or “webshell.php53”.
  7. The server accepts the file due to the bypassed extension check.
  8. The attacker accesses the uploaded file through a direct HTTP request (e.g., http://example.com/redaxo/media/webshell.php71), triggering the execution of the malicious PHP code on the server.

Impact

Successful exploitation of this vulnerability grants the attacker the ability to execute arbitrary PHP code on the Redaxo CMS web server. This can lead to complete compromise of the server, including data theft, website defacement, or further lateral movement within the network. Given that the vulnerable versions are relatively old, systems that have not been regularly updated are most at risk.

Recommendation

  • Upgrade the Redaxo CMS Mediapool Addon to a version greater than 5.5.1 to patch CVE-2018-25353.
  • Implement stricter file extension validation on the server side, using a whitelist approach instead of a blacklist.
  • Monitor web server logs for requests to unusual file extensions in the Mediapool directory using the Sigma rule provided.
  • Implement the second Sigma rule to detect file uploads with suspicious extensions to the Mediapool.
]]>highthreatfile-uploadweb-applicationcode-execution