TYPO3 Admin Priv Esc via Backend User in 10.0.0-13.4.12 LTS
CVE-2025-47940 Published on May 20, 2025
TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer
TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access. Exploiting this vulnerability requires a valid administrator account. Users should update to TYPO3 version 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
Vulnerability Analysis
CVE-2025-47940 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Unverified Ownership
The software does not properly verify that a critical resource is owned by the proper entity.
Products Associated with CVE-2025-47940
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
typo3:- Version >= 10.0.0, < 10.4.50 is affected.
- Version >= 11.0.0, < 11.5.44 is affected.
- Version >= 12.0.0, < 12.4.31 is affected.
- Version >= 13.0.0, < 13.4.12 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.