OpenSTAManager has an OS Command Injection in P7M File Processing
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager ≤2.9.8 contains an OS command injection via unsanitized filenames in P7M file decoding that an authenticated attacker can exploit to achieve remote code execution.
Vulnerability
OpenSTAManager versions 2.9.8 and earlier are affected by a critical OS command injection vulnerability in the P7M (signed XML) file decoding functionality. The decodeP7M() method in src/Util/XML.php (line 100) passes user-supplied file paths directly into an exec() call without adequate sanitization. Although the filename is wrapped in double quotes, an attacker can escape them by including shell meta-characters in the filename. The vulnerable code is reachable through the importFE_ZIP plugin and the FatturaElettronica constructor, both of which process filenames from uploaded ZIP archives. [3]
Attack
Vector The attacker must be authenticated and upload a specially crafted ZIP archive. PHP's ZipArchive::extractTo() splits filenames on the / character, so the payload must not contain / in commands. The import flow extracts the ZIP, iterates over .p7m files, and calls decodeP7M() with the extracted filename. By embedding command injection sequences (e.g., backticks or ;) in the filename, an attacker can execute arbitrary system commands on the server running the web server user context. [3]
Impact
Successful exploitation grants the attacker the ability to execute arbitrary OS commands, leading to complete compromise of the application server. Given the sensitive data managed by OpenSTAManager (customer records, invoices, warehouse management), an attacker could exfiltrate data, modify records, or pivot to internal networks. The vulnerability is rated critical but CVSS 4.0 metrics have not yet been assigned by NVD. [2][3]
Mitigation
The vulnerability affects all versions up to and including 2.9.8. The vendor has not yet released a patched version as of the publication date. Users should restrict access to the import functionality, monitor for unusual ZIP uploads, and disable automatic import if not required. The advisory recommends treating filenames from ZIP archives as untrusted and applying strict input validation before use in shell commands. [1][3]
- GitHub - devcode-it/openstamanager: OpenSTAManager è un software gestionale open-source basato su web, sviluppato in PHP con database MySQL. Serve a gestire l'assistenza tecnica e la fatturazione elettronica per piccole e medie imprese. Include moduli per la contabilità, la gestione del magazzino, le anagrafiche di clienti e fornitori, i documenti di vendita e acquisto.
- NVD - CVE-2025-69212
- OS Command Injection in P7M File Processing
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
1- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-25fp-8w8p-mx36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69212ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.