Two vital vulnerabilities in ScriptCase’s Manufacturing Setting module will be chained collectively to attain pre-authenticated distant command execution on affected servers.
The vulnerabilities, tracked as CVE-2025-47227 and CVE-2025-47228, have an effect on model 1.0.003-build-2 of the Manufacturing Setting module included in ScriptCase model 9.12.006 (23), with earlier variations probably weak as effectively.
Key Takeaways1. Two extreme CVE-tracked flaws in ScriptCase Manufacturing Setting module enable full server takeover.2. Attackers want no login credentials to take advantage of these vulnerabilities and compromise methods.3. Password reset bypass and shell injection end in full system entry in three simple steps.4. Profitable exploitation grants attackers full server management and database entry.
ScriptCase is a well-liked low-code platform that generates PHP net purposes by a graphical interface.
The Manufacturing Setting module serves as an administrative console for managing database connections and directories, and is often deployed alongside generated web sites.
The found vulnerabilities by the SYNACTIV staff enable attackers to compromise servers with none authentication necessities in any respect.
Authentication Bypass Flaw (CVE-2025-47227)
The primary vulnerability stems from a flawed authentication mechanism within the Manufacturing Setting’s password reset performance.
The difficulty lies within the changePass() perform inside nmPageProdLogin.class.php, which solely requires an e mail deal with and new password with out verifying the present password.
The vulnerability exploits a timing difficulty the place the session variable nm_session.prod_v8.login.is_page is ready after the preliminary AJAX request processing. Attackers can bypass this safety by making two sequential requests with the identical PHPSESSID cookie.
The exploit includes three steps: first, a GET request to login.php units the session variable to true; second, a request to secureimage.php obtains a CAPTCHA problem; lastly, a POST request with the motion nm_action=change_pass efficiently resets the administrator password.
The POST request makes use of parameters together with [email protected], pass_new=Synacktiv6, pass_conf=Synacktiv6, and the solved CAPTCHA worth.
This fully bypasses authentication and grants administrative entry to the Manufacturing Setting console.
Shell Injection Flaw (CVE-2025-47228)
The second vulnerability exists within the SSH configuration characteristic for database connections.
The nmPageAdminSysAllConectionsCreateWizard.class.php file comprises a shell injection vulnerability within the GetListDatabaseNameMySql() perform, the place person enter is straight concatenated into SSH instructions with out correct sanitization.
The weak code constructs SSH instructions utilizing the format ssh -fNg -L $localPort:$server:$port $sshUser@$sshHost with user-controlled variables.
The ssh_localportforwarding parameter is especially exploitable, as demonstrated by injecting ; contact ghijkl ;# which efficiently executes arbitrary instructions through shell_exec().
Attackers can exploit this by accessing admin_sys_allconections_test.php and submitting malicious payloads by the SSH configuration kind.
The vulnerability permits execution of arbitrary system instructions with net server privileges, usually www-data.
The researchers developed an automatic exploitation script that chains each vulnerabilities, contains CAPTCHA fixing capabilities utilizing OCR methods, and may detect ScriptCase deployment paths routinely.
CVEsDescriptionAffected ProductsCVSS 3.1 ScoreCVE-2025-47227Administrator’s Password Reset (Authentication Bypass)Manufacturing Setting module v1.0.003-build-2 (ScriptCase v9.12.006-23), probably earlier versions7.5 (Excessive)CVE-2025-47228Shell Injection (Distant Command Execution)Manufacturing Setting module v1.0.003-build-2 (ScriptCase v9.12.006-23), probably earlier versions6.7 (Medium)
ScriptCase has not launched official patches for both CVE-2025-47227 (authentication bypass) or CVE-2025-47228 (shell injection) as of the general public disclosure date.
The best quick safety includes proscribing entry to the ScriptCase Manufacturing Setting extension on the community perimeter stage.
For the distant command execution vulnerability, further endpoint blocking ought to embody /prod/lib/php/devel/iface/admin_sys_allconections_test.php and /prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php.
These restrictions successfully neutralize each assault vectors whereas sustaining the performance of the first ScriptCase growth surroundings if deployed individually.
Examine dwell malware habits, hint each step of an assault, and make quicker, smarter safety selections -> Attempt ANY.RUN now
