## https://sploitus.com/exploit?id=A37B09D6-1677-5EA8-BA45-6B1D5541554A
# CVE-2025-61505
Insecure Deserialization in e107 CMS install.php
# CVE-2025-61505: Insecure Deserialization in e107 CMS install.php
**Discoverer:** Anas Abderrahman Benbarek
**CVE ID:** CVE-2025-61505
**Affected Software:** e107 CMS โค 2.3.3 (all versions up to and including 2.3.3)
**Download Link:** https://e107.org/download
**Vulnerability Type:** Insecure Deserialization (CWE-502)
**Description**
During the installation process, `install.php` uses `unserialize(base64_decode($_POST['previous_steps']))` without restrictions (lines ~268 and in e_install constructor). This allows attackers to submit crafted serialized PHP objects via POST, potentially leading to RCE via POP chains if gadgets exist in e107 classes.
**Impact**
- Remote Code Execution (possible)
- Arbitrary file operations or DoS
- **Limited to installation phase** โ safe on live sites if install.php is removed post-setup.
**Attack Vector**
Remote HTTP POST to install.php with malicious `previous_steps` parameter.
**Mitigation / Fix**
- Use `json_decode(base64_decode(...), true)` instead.
- Or `unserialize(..., ['allowed_classes' => false])` for PHP โฅ7.0.
- Always delete/rename install.php after installation.
- Avoid exposing install.php on public servers.
**References**
- Source: https://github.com/e107inc/e107/blob/master/install.php
- Official CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-61505 (pending full details)
-
Credit: Anas Abderrahman Benbarek (responsible disclosure)