CVE-2025-6967 in Sarman
Summary
by MITRE • 02/10/2026
Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.
This issue affects CMS: through 10022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The CVE-2025-6967 vulnerability represents a critical security flaw in the CMS platform developed by Sarman Soft Software and Technology Services Industry and Trade Ltd. This vulnerability manifests as an Execution After Redirect (EAR) condition that enables attackers to exploit JSON Hijacking techniques, commonly referred to as JavaScript Hijacking. The flaw exists within the authentication mechanisms of the CMS system, specifically affecting versions through 10022026, creating a dangerous vector for unauthorized access and system compromise. The vulnerability's classification under CWE-424 indicates a weakness in the system's ability to properly handle redirected requests, allowing malicious actors to execute code or bypass authentication controls after being redirected to a different page or endpoint within the application's navigation structure.
The technical exploitation of this vulnerability occurs when the CMS fails to properly validate or sanitize redirect parameters, enabling attackers to manipulate the application's flow and execute unauthorized operations. The JSON Hijacking aspect of this vulnerability allows threat actors to intercept and manipulate JSON responses that are intended for legitimate JavaScript applications, potentially enabling them to extract sensitive data or perform unauthorized actions on behalf of authenticated users. This particular flaw operates at the application layer, where the CMS does not adequately verify the integrity of redirect operations or ensure that subsequent execution occurs within the intended security context. The authentication bypass component demonstrates how the EAR vulnerability can be leveraged to circumvent the system's access controls, potentially granting attackers full administrative privileges or access to restricted resources within the CMS environment.
The operational impact of CVE-2025-6967 extends beyond simple data theft or unauthorized access, as it creates a persistent threat vector that could allow attackers to establish long-term presence within affected systems. Organizations utilizing this CMS version face significant risks including data breaches, system compromise, and potential lateral movement within their network infrastructure. The vulnerability's susceptibility to JSON Hijacking techniques means that attackers could potentially access sensitive user information, manipulate content management operations, or even exfiltrate confidential data through the manipulated JSON responses. Given that this vulnerability affects a widely used content management system, the potential for widespread exploitation exists across multiple organizations that have not yet patched their installations. The lack of vendor response to early disclosure attempts further compounds the risk, leaving affected parties without official patches or mitigation guidance during the critical window of vulnerability exposure.
Security professionals should consider implementing network-level mitigations including firewall rules that restrict access to potentially vulnerable endpoints and monitoring for unusual redirect patterns or JSON response manipulation attempts. The vulnerability's characteristics align with ATT&CK techniques related to credential access and privilege escalation, specifically targeting the T1566.001 and T1078 sub-techniques that involve social engineering and valid accounts respectively. Organizations should also implement robust input validation controls and ensure that all redirect operations within the CMS are properly validated and sanitized to prevent attackers from manipulating the application flow. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities within the application's redirect and authentication mechanisms, while also monitoring for any signs of exploitation attempts that might indicate active compromise of affected systems.