CVE-2025-69212

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager is susceptible to a critical OS Command Injection issue in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a malicious .p7m file to execute arbitrary system commands on the server. The vulnerability stems from a lack of input sanitization when processing filenames from uploaded ZIP archives. Specifically, the decodeP7M() function in src/Util/XML.php passes the filename directly into the exec() function without proper validation. The attack vector involves uploading a ZIP archive with a crafted filename through the importFE ZIP plugin or the FatturaElettronica class, leading to arbitrary command execution as the web server user. Successful exploitation could result in remote code execution, data exfiltration, privilege escalation, persistence, and lateral movement within the network. The vulnerability is triggered through the plugins/importFE ZIP/actions.php and plugins/importFE/src/FatturaElettronica.php files.

Recommendations Versions prior to 2.9.8 should implement input sanitization by validating that file paths do not contain shell metacharacters or by using escapeshellarg() to properly escape the filename before passing it to the exec() function. Alternatively, validate filenames from ZIP archives to only allow alphanumeric characters, dots, dashes, and underscores before processing them.