Share
## https://sploitus.com/exploit?id=8D80E256-E0CF-5629-972A-654657B04B04
# CVE-2025-69212
--- 

## Description

OpenSTAManager is a management software solution for technical assistance, electronic invoicing, and accounting. The versions `<=2.9.8` are vulnerable to an authenticated remote code execution vulnerability. An attacker can exploit this issue by uploading a specially crafted `.zip` archive containing a `.p7m` file whose filename can be interpreted as shell commands, resulting in arbitrary command execution on the remote server.

## Usage

### Requirement

```
$ pip install requests
```

### Proof-of-concept usage

```
$ python3 exploit.py [-h] --user USER --password PASSWORD [--target TARGET] [--cmd CMD]
```

Example:

```
$ python3 exploit.py --user="admin" --password="admin" --target="http://example.com/" --cmd="id"
```

### Options

```
-h, --help           show this help message and exit
--user USER          username for auth.
--password PASSWORD  password for auth.
--target TARGET      target domain endpoint
--cmd CMD            command to execute on the server
```

## References

- [nvd.nist.gov/vuln/detail/CVE-2025-69212](nvd.nist.gov/vuln/detail/CVE-2025-69212)
- [github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36](github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36)