DCP-Portal CMS v6 PHP Remote File Inclusion RCE

Advisories

severity: critical
date: November 10, 2025
Affecting: DCP-Portal CMS v6
An affected version range remains undefined
CVE: CVE-2006-4837
CWE: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-22127
ExploitDB-1905
Shadowserver Exploitation Evidence
DCP-Portal Product Site
Credit: frog
Description: Multiple PHP remote file inclusion vulnerabilities in DCP-Portal SE 6.0 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) library/lib.php and (2) library/editor/editor.php. NOTE: the same primary issue can be used for full path disclosure with an invalid parameter that reveals the installation path in an error message. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-24 UTC.