ScriptCase Vulnerabilities Allow Remote Code Execution and Full Server Compromise
Two critical vulnerabilities have been discovered in ScriptCase, a popular low-code PHP web application generator, which puts thousands of servers at risk of remote code execution and complete compromise.
The flaws, tracked as CVE-2025-47227 and CVE-2025-47228, affect the Production Environment module (also known as the “prod console”), which is commonly deployed alongside web applications for database and directory management, as per a report by Synacktiv.
ScriptCase enables developers to build PHP applications through a graphical interface.
| CVE ID | Description | Severity | Attack Vector | Status |
| CVE-2025-47227 | Pre-auth admin password reset (bypass) | High | Remote, unauth. | Unfixed |
| CVE-2025-47228 | Authenticated shell injection (RCE) | High | Remote, auth. | Unfixed |
While the main ScriptCase interface is often kept off production servers, the prod console is typically present, making these vulnerabilities especially dangerous.
The Vulnerabilities
CVE-2025-47227: Pre-Authenticated Administrator Password Reset
- Type: Authentication Bypass
- Attack Vector: Remote, no authentication required
- Description: By chaining a specific sequence of HTTP GET and POST requests to the prod console login page, an attacker can reset the administrator password without any prior access. The only requirements are knowledge of the login page location and the ability to solve a simple CAPTCHA, which can be automated using OCR tools. This grants the attacker full administrative access to the prod console.
CVE-2025-47228: Remote Command Execution via Shell Injection
- Type: Authenticated Command Injection
- Attack Vector: Remote, authenticated access (which can be gained via CVE-2025-47227)
- Description: Once logged into the prod console, an attacker can exploit the SSH connection configuration feature. Unsanitized user input is directly concatenated into a shell command and executed by the server, allowing arbitrary command execution as the web server user (typically www-data). This can be leveraged to gain full control over the server, access sensitive data, or pivot further into the network.
Affected Versions
| Module/Version | Included in ScriptCase | Status |
| Production Environment 1.0.003-build-2 | 9.12.006 (23) | Vulnerable |
| Earlier versions | Various | Likely vulnerable |
No official fix is currently available. Users are strongly advised to restrict access to the prod console and block specific endpoints at the proxy or firewall level.
Impact
- Full server compromise: Attackers can reset the admin password, log in, and execute arbitrary commands.
- No authentication required: The attack can be launched remotely by anyone who can reach the prod console.
- Automation possible: CAPTCHA protection can be bypassed with OCR, enabling mass exploitation.
Recommendations
- Restrict access: Limit network access to the prod console.
- Block vulnerable endpoints: Deny access to /prod/lib/php/devel/iface/login.php and related admin scripts at the proxy or firewall.
- Monitor for updates: Await an official patch from the vendor and apply it as soon as available.
Researchers Alexandre Droullé and Alexandre Zanni are credited with discovering these vulnerabilities. Organizations using ScriptCase should take immediate action to mitigate risk.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Source link
