CVE-2020-25507
Description
An incorrect permission assignment during the installation script of TeamworkCloud 18.0 thru 19.0 allows a local unprivileged attacker to execute arbitrary code as root. During installation, the user is instructed to set the system enviroment file with world writable permissions (0777 /etc/environment). Any local unprivileged user can execute arbitrary code simply by writing to /etc/environment, which will force all users, including root, to execute arbitrary code during the next login or reboot. In addition, the entire home directory of the twcloud user at /home/twcloud is recursively given world writable permissions. This allows any local unprivileged attacker to execute arbitrary code, as twcloud. This product was previous named Cameo Enterprise Data Warehouse (CEDW).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- TeamworkCloud/TeamworkClouddescription
- Range: 18.0 - 19.0
Patches
Vulnerability mechanics
Root cause
"The installation script sets world-writable permissions (0777) on /etc/environment and recursively on /home/twcloud, allowing any local user to inject arbitrary commands that execute as root or as the twcloud user."
Attack vector
A local unprivileged attacker can write arbitrary content to `/etc/environment` because the installation script sets its permissions to `0777` (world-writable) [ref_id=1]. On the next login or reboot, every user—including root—sources this file, causing the attacker's injected commands to execute with root privileges. Separately, the attacker can write malicious files into `/home/twcloud` (also world-writable), which will be executed in the context of the `twcloud` user. No authentication or network access is required; the attacker only needs a local shell account on the affected system.
Affected code
The installation script (`install_java.sh`) included in the official Teamwork Cloud documentation [ref_id=1] runs `sudo chmod 777 /etc/environment`, making the system environment file world-writable. Additionally, the home directory `/home/twcloud` is recursively given world-writable permissions during installation. These permissions affect Teamwork Cloud versions 18.0 through 19.0 (formerly Cameo Enterprise Data Warehouse / CEDW).
What the fix does
The advisory does not include a published patch. To remediate the vulnerability, administrators must manually correct the permissions on `/etc/environment` (e.g., `chmod 644 /etc/environment`) and on `/home/twcloud` (e.g., `chmod 755 /home/twcloud` and ensure subdirectories have appropriate restrictive permissions). The installation script should be modified to avoid granting world-writable permissions to sensitive system files and user home directories.
Preconditions
- authAttacker must have a local unprivileged shell account on the Linux system where TeamworkCloud is installed.
- configThe installation script must have been run as documented, leaving /etc/environment with 0777 permissions and /home/twcloud recursively world-writable.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- community.nomagic.com/finding-and-fixing-wrong-file-permission-twc-installation-t7165.htmlmitrex_refsource_CONFIRM
- docs.nomagic.com/display/TWCloud190/Installation+on+Linux+using+scriptsmitrex_refsource_MISC
- github.com/sickcodes/security/blob/master/advisories/SICK-2020-002.mdmitrex_refsource_MISC
- sick.codes/finding-a-vulnerability-in-teamwork-cloud-server-nomagic-3ds-which-is-used-by-gov-enterprise-to-design-rockets-missiles-and-satellitesmitrex_refsource_MISC
- sick.codes/sick-2020-002/mitrex_refsource_MISC
- web.archive.org/web/20201219095507/https://docs.nomagic.com/display/TWCloud185SP1/Installation+on+Centos+7.mitrex_refsource_MISC
- web.archive.org/web/20201219155833/https://docs.nomagic.com/pages/viewpage.actionmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.