## https://sploitus.com/exploit?id=8D80E256-E0CF-5629-972A-654657B04B04
# CVE-2025-69212
---
## Description
OpenSTAManager is a management software solution for technical assistance, electronic invoicing, and accounting. The versions `<=2.9.8` are vulnerable to an authenticated remote code execution vulnerability. An attacker can exploit this issue by uploading a specially crafted `.zip` archive containing a `.p7m` file whose filename can be interpreted as shell commands, resulting in arbitrary command execution on the remote server.
## Usage
### Requirement
```
$ pip install requests
```
### Proof-of-concept usage
```
$ python3 exploit.py [-h] --user USER --password PASSWORD [--target TARGET] [--cmd CMD]
```
Example:
```
$ python3 exploit.py --user="admin" --password="admin" --target="http://example.com/" --cmd="id"
```
### Options
```
-h, --help show this help message and exit
--user USER username for auth.
--password PASSWORD password for auth.
--target TARGET target domain endpoint
--cmd CMD command to execute on the server
```
## References
- [nvd.nist.gov/vuln/detail/CVE-2025-69212](nvd.nist.gov/vuln/detail/CVE-2025-69212)
- [github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36](github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36)