ScriptCase Flaws (CVE-2025-47227/47228): Pre-Auth RCE & Admin Takeover Risk for Web Servers, PoC Published

In a recent security advisory, researchers from Synacktiv revealed two chained vulnerabilities in ScriptCase’s Production Environment module—known as the “prod console”—that can lead to pre-authenticated remote command execution (RCE), putting web servers and sensitive database credentials at immediate risk.

“Pre-authenticated remote command execution is achieved by chaining two vulnerabilities: the first is the ability to reset the administrator password… and the second is a simple authenticated remote command execution,” Synacktiv explained in their detailed report.

The first vulnerability, tracked as CVE-2025-47227, allows attackers to reset the prod console administrator’s password without authentication, by exploiting how the is_page session variable is set during the login flow.

The attack works in three simple HTTP requests:

1. Initialize session with a crafted PHPSESSID by visiting login.php.
2. Retrieve a CAPTCHA image tied to that session.
3. Send a password reset POST with the CAPTCHA, a new password, and any email address.

“It is easily noticeable that only an email address and a new password is required, no old password,” the report noted. Moreover, “the prod console has only one user” — making privilege escalation trivial.

The second vulnerability, tracked as CVE-2025-47228, is shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests. Once logged in, attackers can abuse the prod console’s SSH port forwarding feature for remote command injection. Input is passed unsanitized into a shell_exec() call in the code responsible for database connection testing.

“User-supplied data is then used unsanitized in the sensitive operation shell_exec()… when injecting the command ; touch ghijkl ;#, the file ghijkl is successfully created on the server,” Synacktiv demonstrated.

The exploitation doesn’t even require valid database credentials—just manipulating form fields and re-enabling hidden UI elements is sufficient.

While the password reset form is protected by CAPTCHA, Synacktiv showed how attackers can automate CAPTCHA solving using common OCR tools like Tesseract:

“The captcha always consists of 4 capital letters… allowing to automate the only manual step of the exploit,” the researchers explained. They demonstrated successful OCR extraction of codes like NKUN and NKUW using cleaned images.

Synacktiv also released a Python-based exploit tool capable of:

• Chaining the full pre-auth RCE
• Executing RCE post-auth
• Performing just the password reset
• Detecting non-standard deployment paths of ScriptCase

“In the scenario where the two vulnerabilities are chained… the password reset sets the current session as authenticated, so the command injection can be performed with the same cookie,” they noted.

These vulnerabilities offer complete server takeover from an unauthenticated attacker—making them a high-priority threat for any organization using ScriptCase.

“An attacker can arbitrarily reset the password… retrieve database credentials… [and] gain access to the server,” warned the advisory.

Mitigation advice includes:

• Blocking access to the prod console via reverse proxy (especially login.php, nm_ini_manager2.php, and test wizard endpoints).
• Refactoring input handling to avoid shell_exec() and adopting secure libraries like phpseclib.
• Ensuring CAPTCHA generation is hardened against automation.

The application itself does not log activity, so detection must rely on reviewing HTTP access logs. Exploitation attempts typically target:

• /prod/lib/php/devel/iface/login.php
• /prod/lib/php/devel/lib/php/secureimage.php
• /prod/lib/php/devel/iface/admin_sys_allconections_test.php

Related Posts:

• Progress WS_FTP Server Security Vulnerabilities: What You Need to Know
• CVE-2024-8940 (CVSS 10): Critical Flaw in Scriptcase Low-Code Platform Leaves Developers at Risk
• PoC Exploit Releases for Linux Kernel Escalate Privileges Flaw (CVE-2023-35001)
• Sudo flaw lets attackers gain root privileges
• CVE-2024-43468 (CVSS 9.8): Microsoft Configuration Manager Exploit Revealed with PoC Code