ScriptCase Vulnerabilities Let Attackers Execute Remote Code and Gain Server Access

Two critical vulnerabilities in ScriptCase’s Production Environment module can be chained together to achieve pre-authenticated remote command execution on affected servers. 

The vulnerabilities, tracked as CVE-2025-47227 and CVE-2025-47228, affect version 1.0.003-build-2 of the Production Environment module included in ScriptCase version 9.12.006 (23), with previous versions likely vulnerable as well.

Key Takeaways
1. Two severe CVE-tracked flaws in ScriptCase Production Environment module allow complete server takeover.
2. Attackers need no login credentials to exploit these vulnerabilities and compromise systems.
3. Password reset bypass and shell injection result in full system access in three easy steps.
4. Successful exploitation grants attackers full server control and database access.

ScriptCase is a popular low-code platform that generates PHP web applications through a graphical interface. 

The Production Environment module serves as an administrative console for managing database connections and directories, and is typically deployed alongside generated websites. 

The discovered vulnerabilities by the SYNACTIV team allow attackers to compromise servers without any authentication requirements at all.

Authentication Bypass Flaw (CVE-2025-47227) 

The first vulnerability stems from a flawed authentication mechanism in the Production Environment’s password reset functionality. 

The issue lies in the changePass() function within nmPageProdLogin.class.php, which only requires an email address and new password without verifying the current password.

The vulnerability exploits a timing issue where the session variable nm_session.prod_v8.login.is_page is set after the initial AJAX request processing. Attackers can bypass this protection by making two sequential requests with the same PHPSESSID cookie. 

The exploit involves three steps: first, a GET request to login.php sets the session variable to true; second, a request to secureimage.php obtains a CAPTCHA challenge; finally, a POST request with the action nm_action=change_pass successfully resets the administrator password.

The POST request uses parameters including [email protected], pass_new=Synacktiv6, pass_conf=Synacktiv6, and the solved CAPTCHA value. 

This completely bypasses authentication and grants administrative access to the Production Environment console.

Shell Injection Flaw (CVE-2025-47228)

The second vulnerability exists in the SSH configuration feature for database connections. 

The nmPageAdminSysAllConectionsCreateWizard.class.php file contains a shell injection vulnerability in the GetListDatabaseNameMySql() function, where user input is directly concatenated into SSH commands without proper sanitization.

The vulnerable code constructs SSH commands using the format ssh -fNg -L $localPort:$server:$port $sshUser@$sshHost with user-controlled variables. 

The ssh_localportforwarding parameter is particularly exploitable, as demonstrated by injecting ; touch ghijkl ;# which successfully executes arbitrary commands via shell_exec().

Attackers can exploit this by accessing admin_sys_allconections_test.php and submitting malicious payloads through the SSH configuration form. 

The vulnerability allows execution of arbitrary system commands with web server privileges, typically www-data.

The researchers developed an automated exploitation script that chains both vulnerabilities, includes CAPTCHA solving capabilities using OCR techniques, and can detect ScriptCase deployment paths automatically. 

ScriptCase has not released official patches for either CVE-2025-47227 (authentication bypass) or CVE-2025-47228 (shell injection) as of the public disclosure date.

The most effective immediate protection involves restricting access to the ScriptCase Production Environment extension at the network perimeter level. 

For the remote command execution vulnerability, additional endpoint blocking should include /prod/lib/php/devel/iface/admin_sys_allconections_test.php and /prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php. 

These restrictions effectively neutralize both attack vectors while maintaining the functionality of the primary ScriptCase development environment if deployed separately.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now