CVE-2025-48868
published 2025-09-24CVE-2025-48868: Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0…
PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
2.33%
81.4th percentile
Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| horilla-opensource | horilla | — | — |
| horilla | horilla | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the project-bulk-archive endpoint containing suspicious characters in the `is_active` query parameter, especially shell metacharacters, backticks, or encoded command injection sequences (e.g., %26, /dev/tcp/). ↗
- →Alert on outbound TCP connections from the web server process (e.g., Python/Django worker) to unexpected external IPs/ports, indicative of a reverse shell spawned via /dev/tcp. ↗
- →Detect exploitation attempts in DEBUG=False (blind RCE) mode by monitoring for reverse shell callbacks from the Horilla server, as no output is returned in the HTTP response. ↗
- →Flag POST requests to the bulk-archive view that include both a `csrfmiddlewaretoken` and an `ids` body parameter alongside a suspicious `is_active` query string — this matches the exploit's exact request structure. ↗
- ·Exploitation requires an authenticated session (privileged user, e.g., administrator). Detection rules should account for valid session cookies/CSRF tokens being present in malicious requests. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
https://drive.google.com/file/d/1XQAJilt77QxkjGEa94CsZRqZIZXa3ET9/view?usp=sharinghttps://drive.google.com/file/d/1hnI9AK3fnpVrTlTRF7aRJsKhZCDIm2Ve/view?usp=sharinghttps://github.com/horilla-opensource/horilla/commit/b0aab62b3a5fe6b7114b5c58db129b3744b4d8cchttps://github.com/horilla-opensource/horilla/security/advisories/GHSA-h6qj-pwmx-wjhw
2025-09-24
Published