CVE-2025-69212
Published: 06 February 2026
Summary
CVE-2025-69212 is a high-severity OS Command Injection (CWE-78) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates filenames and contents of uploaded ZIP files with .p7m attachments to prevent OS command injection during P7M decoding.
Remediates the specific OS command injection flaw in OpenSTAManager's P7M file decoding functionality through timely patching or updates.
Monitors the system for anomalous command executions triggered by malicious filenames in the P7M decoding process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an OS command injection in a network-accessible web application (T1190: Exploit Public-Facing Application), directly enabling arbitrary system command execution (T1059: Command and Scripting Interpreter).
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing…
more
a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Deeper analysisAI
CVE-2025-69212 is a critical OS Command Injection vulnerability (CWE-78) in OpenSTAManager, an open source management software for technical assistance and invoicing. The flaw affects versions 2.9.8 and earlier, specifically in the P7M (signed XML) file decoding functionality. Published on 2026-02-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
An authenticated attacker with low privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By uploading a ZIP file containing a .p7m file with a malicious filename, the attacker triggers arbitrary system command execution on the server.
Mitigation details are available in the GitHub Security Advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36.
Details
- CWE(s)