CVE-2025-47227
published 2025-07-05CVE-2025-47227: In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
1.96%
77.8th percentile
In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scriptcase | scriptcase | <= 9.12.006 (23) | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated password reset attempts: look for a GET request immediately followed by a POST to login.php with POST body containing 'nm_action=change_pass'. This two-request sequence (GET then POST) is the core of the auth bypass. ↗
- →Alert on POST requests to /prod/lib/php/devel/iface/login.php containing the parameters 'nm_action=change_pass' and 'ajax=nm' from unauthenticated sessions. ↗
- →Detect command injection via SSH local port forwarding field: monitor POST requests to admin_sys_allconections_test.php where 'ssh_localportforwarding' parameter contains shell metacharacters (semicolons, hash/comment characters). ↗
- →Successful password reset response is the JSON string {"result":"success"}. Monitor HTTP responses from login.php containing this string as a sign of exploitation. ↗
- →Session fixation is present: the session cookie is not renewed after login. Correlate pre- and post-authentication requests sharing the same session cookie to detect account takeover. ↗
- →Detect deployment path enumeration: look for GET requests probing the JavaScript variable 'sc_pathToTB' pattern or requests to /devel/conf/scriptcase/img/ico/favicon.ico used by the exploit to fingerprint ScriptCase installations. ↗
- ·The exploit targets the Production Environment extension specifically (version 1.0.003-build-2), not the base ScriptCase development console. The vulnerable login.php path is under /prod/lib/php/devel/iface/, distinct from the development console path /devel/iface/login.php. ↗
- ·The exploit includes OCR-based CAPTCHA bypass using Tesseract. If the CAPTCHA implementation is strengthened or replaced, the automated password reset step may fail, but manual CAPTCHA input is also supported as a fallback in the exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2025-07-05
Published