Authenticated Remote Code Execution Discovered in JuzaWeb CMS 3.4.2
What Happened – Researchers released a public exploit that lets an attacker who can log in as an administrator inject a PHP web‑shell into JuzaWeb CMS 3.4.2 and execute arbitrary OS commands on the underlying server. The exploit works against any deployment of the open‑source CMS that has not been patched.
Why It Matters for TPRM –
- A compromised vendor website can be used to host malicious payloads that affect downstream customers.
- Credential‑based RCE bypasses network‑perimeter defenses; weak admin passwords amplify risk.
- No CVE has been assigned yet, so many organizations may be unaware of the exposure.
Who Is Affected – Companies that host public‑facing websites, portals, or intranets on JuzaWeb CMS (common in media, education, small‑to‑mid‑size enterprises, and some government portals).
Recommended Actions –
- Inventory all third‑party sites that run JuzaWeb CMS 3.4.2.
- Enforce strong, unique admin credentials and enable multi‑factor authentication where possible.
- Apply the vendor‑provided patch or upgrade to the latest JuzaWeb release.
- Conduct a web‑application security review for possible web‑shell remnants.
Technical Notes – The exploit logs in via the /admin‑cp/login endpoint, captures the CSRF token, then overwrites a plugin file (src/routes/api.php) with a PHP shell that executes commands passed via the cmd query parameter. No CVE ID is assigned (pending). Attack vector is authenticated via stolen or weak admin credentials. Source: Exploit‑DB 52518