CVE-2025-55041 in MuraCMS
Summary
by MITRE • 03/18/2026
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
CVE-2025-55041 represents a critical cross-site request forgery vulnerability within MuraCMS versions 10.1.10 and earlier, specifically affecting the user management functionality through the cUsers.cfc addToGroup method. This vulnerability stems from the absence of proper CSRF token validation mechanisms within the affected function, creating a significant security gap that allows unauthorized privilege escalation. The flaw exists because the system directly processes user-supplied parameters userId and groupId without adequate authorization verification, enabling malicious actors to manipulate the getUserManager().createUserInGroup() method through forged requests. The vulnerability operates under the principle that authenticated administrators will automatically execute malicious requests when visiting compromised web pages, making it particularly dangerous as it leverages the trust relationship between the user and the application. This type of vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications, and maps to ATT&CK technique T1078.004 related to Valid Accounts and T1496 for Resource Hijacking, as attackers can effectively hijack administrative sessions to gain elevated privileges. The technical implementation flaw occurs at the application layer where input validation and session management protocols are insufficiently enforced, particularly in the user group membership modification process. When an authenticated administrator visits a malicious website containing embedded CSRF attack vectors, the vulnerable addToGroup method automatically executes with the administrator's privileges, allowing attackers to manipulate user group memberships without proper authentication or authorization checks.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to horizontally move between different user groups and vertically escalate their access to administrative functions. The exploitation process involves crafting malicious web pages that automatically submit requests to the vulnerable MuraCMS endpoint, targeting the specific userId and groupId parameters that control user group assignments. While the vulnerability does not permit direct access to the s2 User group, which represents the highest privilege level in MuraCMS, it still provides attackers with significant control over the system's user management structure. This limitation prevents complete system compromise but still allows for substantial damage through access to various administrative functions and user accounts. The vulnerability's impact is amplified by the fact that it requires no special privileges to exploit beyond having a victim visit a malicious page, making it particularly dangerous in environments where administrators frequently browse untrusted websites or where social engineering attacks are common. The attack vector represents a classic case of client-side exploitation where the application's trust in authenticated sessions is abused to perform unauthorized operations, potentially leading to data breaches, system manipulation, and unauthorized access to sensitive information.
Mitigation strategies for CVE-2025-55041 must address both the immediate vulnerability and broader security posture improvements. Organizations should implement comprehensive CSRF protection mechanisms including the mandatory use of anti-CSRF tokens for all state-changing operations within the application, particularly those affecting user management functions. The fix should involve adding proper token validation to the cUsers.cfc addToGroup method, ensuring that all requests containing userId and groupId parameters undergo strict verification before processing. Additionally, implementing proper authorization checks through the getUserManager().createUserInGroup() method is essential, requiring that only authorized administrators can modify user group memberships. Security measures should also include session management improvements, such as implementing secure session handling protocols and ensuring that administrative functions require explicit confirmation before execution. The solution must align with industry standards including OWASP Top Ten 2021's A01:2021 - Broken Access Control and the NIST Cybersecurity Framework's PR.AC-1 and PR.AC-4 controls related to access control and authorization management. Organizations should also consider implementing web application firewalls to detect and block suspicious CSRF attack patterns, while conducting regular security assessments to identify similar vulnerabilities in other application components. Regular updates and patch management procedures should be enforced to ensure that all instances of MuraCMS are running patched versions that address this vulnerability, with particular attention to the specific user management functions that were identified as vulnerable in this CVE. The remediation process should include comprehensive testing to verify that proper CSRF protection mechanisms are functioning correctly and that unauthorized privilege escalation attempts are properly blocked.