CVE-2025-69212

HighPublic PoC

Published: 06 February 2026

Published

06 February 2026

Modified

09 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing…

a .p7m file with a malicious filename to execute arbitrary system commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates filenames and contents of uploaded ZIP files with .p7m attachments to prevent OS command injection during P7M decoding.

SI-2 Flaw Remediation good match

prevent

Remediates the specific OS command injection flaw in OpenSTAManager's P7M file decoding functionality through timely patching or updates.

SI-4 System Monitoring partial match

detect

Monitors the system for anomalous command executions triggered by malicious filenames in the P7M decoding process.

Security SummaryAI

CVE-2025-69212 is a critical OS Command Injection vulnerability (CWE-78) in OpenSTAManager, an open source management software for technical assistance and invoicing. The flaw affects versions 2.9.8 and earlier, specifically in the P7M (signed XML) file decoding functionality. Published on 2026-02-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An authenticated attacker with low privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By uploading a ZIP file containing a .p7m file with a malicious filename, the attacker triggers arbitrary system command execution on the server.

Mitigation details are available in the GitHub Security Advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36.

Details

CWE(s): CWE-78

Affected Products

devcode

openstamanager

≤ 2.9.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

The vulnerability is an OS command injection in a network-accessible web application (T1190: Exploit Public-Facing Application), directly enabling arbitrary system command execution (T1059: Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
Exploit, Vendor Advisory · security-advisories@github.com