[CVE-2025-32101] Critical Security Vulnerability Affecting UNA CMS

Hello everyone!

With the release of UNA CMS version 14.0.0-RC5, a critical security issue I discovered has been (silently!) fixed. So, it's not just some "security enhancements" (see github(.)com/unacms/una/commit/48b6c49), but an actual fix for a critical Remote Code Execution (RCE) vulnerability (also known as CVE-2025-32101) that might allow unauthenticated attackers to gain full control over the web server. This poses a severe risk to all UNA users and infrastructures, potentially leading to data breaches, service disruption, and full system compromise.

Given the critical nature of this issue, I privately reported it to @Andrey Yasko and the UNA team in order to facilitate a "responsible disclosure". However, so far no public announcements about this vulnerability have been made by the UNA team. So, here it comes my question: how UNA users should be pushed to urgently update their UNA instances without an official announcement? That's why I've decided to open this discussion: to raise awareness among UNA users!

Since I truly believe in the "full disclosure" model, I'm going to publish details about this vulnerability early next week. Hopefully, this will make UNA users to update their UNA instances as soon as possible, in order to prevent potential exploitation.

  • More
Replies (0)
Login or Join to comment.