Cyber Resilience

CVE-2025-69212

CriticalPublic PoCRCE

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0175 75.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69212 is a critical-severity OS Command Injection (CWE-78) vulnerability in Devcode Openstamanager. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69212 is a critical OS Command Injection vulnerability (CWE-78) in OpenSTAManager, an open source management software for technical assistance and invoicing. The flaw affects versions 2.9.8 and earlier, specifically in the P7M (signed XML) file decoding functionality. Published on 2026-02-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An authenticated attacker with low privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By uploading a ZIP file containing a .p7m file with a malicious filename, the attacker triggers arbitrary system command execution on the server.

Mitigation details are available in the GitHub Security Advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing…

more

a .p7m file with a malicious filename to execute arbitrary system commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability is an OS command injection in a network-accessible web application (T1190: Exploit Public-Facing Application), directly enabling arbitrary system command execution (T1059: Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29782Same product: Devcode Openstamanager
CVE-2025-69213Same product: Devcode Openstamanager
CVE-2025-69214Same product: Devcode Openstamanager
CVE-2026-35168Same product: Devcode Openstamanager
CVE-2026-35470Same product: Devcode Openstamanager
CVE-2026-28805Same product: Devcode Openstamanager
CVE-2025-69215Same product: Devcode Openstamanager
CVE-2026-27012Same product: Devcode Openstamanager
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78

Affected Assets

devcode
openstamanager
≤ 2.9.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates filenames and contents of uploaded ZIP files with .p7m attachments to prevent OS command injection during P7M decoding.

prevent

Remediates the specific OS command injection flaw in OpenSTAManager's P7M file decoding functionality through timely patching or updates.

detect

Monitors the system for anomalous command executions triggered by malicious filenames in the P7M decoding process.

References