CVE-2025-30076
Published: 16 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-30076 is a command injection vulnerability (CWE-78) in Koha, an open-source library management system, affecting versions prior to 24.11.02. The flaw resides in the tools/scheduler.pl script, where shell metacharacters in the report parameter can be leveraged by administrators to execute arbitrary commands. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
Exploitation targets authenticated administrators with network access to the Koha instance, though it demands high attack complexity. Attackers can inject malicious payloads into the report parameter of the scheduler script, achieving remote code execution on the server hosting Koha. This grants high-level access to execute arbitrary commands, potentially compromising sensitive library data or escalating privileges within the changed scope.
Mitigation involves upgrading to Koha 24.11.02 or later, as indicated by the vulnerability description. The Koha Bugzilla advisory (bug 39170) details the issue and fix, while a proof-of-concept exploit demonstrating the task scheduler RCE is publicly available in a GitHub repository by gl0wyy.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in scheduler.pl enables arbitrary command execution via shell metacharacters for authenticated admins (T1059.004 Unix Shell) and exploitation of a network-accessible application leading to RCE (T1190).