cbcvebase.
CVE-2025-47227
published 2025-07-05

CVE-2025-47227: In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
1.96%
77.8th percentile
In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.

Affected

1 ranges
VendorProductVersion rangeFixed in
scriptcasescriptcase<= 9.12.006 (23)

Detection & IOCsextracted from sources · hover to see the quote

url/prod/lib/php/devel/iface/login.php
path/prod/lib/php/devel/iface/login.php
path/prod/lib/php/devel/lib/php/secureimage.php
path/prod/lib/php/devel/iface/admin_sys_allconections_test.php
path/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php
command'ssh_localportforwarding': f'; {cmd};#'
  • Detect unauthenticated password reset attempts: look for a GET request immediately followed by a POST to login.php with POST body containing 'nm_action=change_pass'. This two-request sequence (GET then POST) is the core of the auth bypass.
  • Alert on POST requests to /prod/lib/php/devel/iface/login.php containing the parameters 'nm_action=change_pass' and 'ajax=nm' from unauthenticated sessions.
  • Detect command injection via SSH local port forwarding field: monitor POST requests to admin_sys_allconections_test.php where 'ssh_localportforwarding' parameter contains shell metacharacters (semicolons, hash/comment characters).
  • Successful password reset response is the JSON string {"result":"success"}. Monitor HTTP responses from login.php containing this string as a sign of exploitation.
  • Session fixation is present: the session cookie is not renewed after login. Correlate pre- and post-authentication requests sharing the same session cookie to detect account takeover.
  • Detect deployment path enumeration: look for GET requests probing the JavaScript variable 'sc_pathToTB' pattern or requests to /devel/conf/scriptcase/img/ico/favicon.ico used by the exploit to fingerprint ScriptCase installations.
  • ·The exploit targets the Production Environment extension specifically (version 1.0.003-build-2), not the base ScriptCase development console. The vulnerable login.php path is under /prod/lib/php/devel/iface/, distinct from the development console path /devel/iface/login.php.
  • ·The exploit includes OCR-based CAPTCHA bypass using Tesseract. If the CAPTCHA implementation is strengthened or replaced, the automated password reset step may fail, but manual CAPTCHA input is also supported as a fallback in the exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.