## https://sploitus.com/exploit?id=18E9F20E-62EA-5A7F-8CD8-04430F2270D9
# CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-69212 |
| **Vulnerability Type** | OS Command Injection |
| **Severity** | CRITICAL |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
## Summary
A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
## Vulnerable Code
**File:** `src/Util/XML.php:100`
```php
public static function decodeP7M($file)
{
$directory = pathinfo($file, PATHINFO_DIRNAME);
$content = file_get_contents($file);
$output_file = $directory.'/'.basename($file, '.p7m');
try {
if (function_exists('exec')) {
// VULNERABLE - No input sanitization!
exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
```
**The Problem:**
- The `$file` parameter is passed ...
## Affected Products
- **devcode-it/openstamanager** (versions: <= 2.9.8)
## CWE Classification
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
- https://nvd.nist.gov/vuln/detail/CVE-2025-69212
- https://github.com/advisories/GHSA-25fp-8w8p-mx36
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.