Critical ScriptCase Vulnerabilities Allow Remote Code Execution and Server Takeover

A critical vulnerabilities in ScriptCase, a popular low-code platform used for generating PHP web applications, that allow attackers to execute remote commands and gain complete server access without authentication.

The vulnerabilities, tracked as CVE-2025-47227 and CVE-2025-47228, can be chained together to achieve pre-authenticated remote command execution on servers running the affected software.

ScriptCase version 9.12.006 (23) containing Production Environment module version 1.0.003-build-2 is confirmed vulnerable, with earlier versions likely affected as well.

The first vulnerability (CVE-2025-47227) exploits a flaw in the Production Environment’s authentication system that allows attackers to reset the administrator password without knowing the current credentials.

The vulnerability stems from improper session handling in the password reset functionality, where the system checks for a session variable called is_page to determine if a user is authenticated.

Researchers from Synacktiv discovered that by making two specific HTTP requests to the login page with the same session ID, attackers can manipulate the authentication state.

The first request initializes the session and sets the is_page variable to true, while the second request can then successfully execute the password reset function.

This bypass only requires solving a basic CAPTCHA challenge, which researchers demonstrated can be automated using optical character recognition (OCR) tools due to the simplistic nature of the generated images.

ScriptCase Vulnerabilities

The second vulnerability (CVE-2025-47228) exists in the database connection management feature of the Production Environment console.

When configuring SSH local port forwarding for database connections, user input is directly concatenated into SSH system commands without proper sanitization.

This creates a classic shell injection vulnerability that allows authenticated users to execute arbitrary commands on the server.

The vulnerability occurs in the GetListDatabaseNameMySql() function, where parameters like ssh_localportforwarding are inserted directly into shell commands executed via PHP’s shell_exec() function.

By injecting shell metacharacters and commands into these fields, attackers can execute any system command with the privileges of the web server user, typically www-data on Linux systems.

Coordinated Disclosure Timeline

According to Report, Synacktiv first contacted the ScriptCase team in February 2025, but the vulnerabilities remained unpatched for months.

Despite multiple follow-up communications and confirmations that the issues persisted in the latest versions, the vendor took nearly five months to address the problems.

The vulnerabilities were publicly disclosed in July 2025 following standard responsible disclosure practices.

Network-level blocking of specific endpoints including login.php, admin_sys_allconections_test.php, and admin_sys_allconections_create_wizard.php can help prevent exploitation while awaiting vendor fixes.

Organizations using ScriptCase are strongly advised to immediately restrict access to the Production Environment extension, particularly the /prod/lib/php/devel/iface/ directory, until official patches are available.

The research team provided ScriptCase with a complete exploitation script demonstrating how the vulnerabilities can be chained together for maximum impact.

The script automates the entire attack process, including CAPTCHA solving, deployment path detection, and command execution, making it accessible to attackers with limited technical expertise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.