PT-2025-18069 · Ipw Systems · Ipw Systems Metazo
Patrick Hener
·
Published
2025-04-28
·
Updated
2025-05-03
·
CVE-2025-46661
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
IPW Systems Metazo versions 8.1.3 and earlier
Description
The issue allows for unauthenticated Remote Code Execution because
smartyValidator.php enables the attacker to provide template expressions, also known as Server-Side Template-Injection. All instances have been patched by the supplier.Recommendations
For IPW Systems Metazo version 8.1.3 and earlier, update to a patched version to resolve the issue. As a temporary workaround, consider disabling the
smartyValidator.php file until a patch is available. Restrict access to the smartyValidator.php file to minimize the risk of exploitation. Avoid using template expressions in the affected API endpoints until the issue is resolved.Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ipw Systems Metazo