FACTION Unauthenticated Custom Extension Upload leads to RCE
traduction en cours…Plateforme
other
Composant
faction
Corrigé dans
1.7.2
CVE-2025-66022 describes a Remote Code Execution (RCE) vulnerability within the FACTION PenTesting Report Generation and Collaboration Framework. This vulnerability allows an unauthenticated attacker to execute arbitrary system commands on the server hosting FACTION. It affects versions of FACTION prior to 1.7.1, and a fix is available in version 1.7.1.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2025-66022 is severe. An attacker can exploit this vulnerability by uploading a malicious extension through the unauthenticated /portal/AppStoreDashboard endpoint. Once uploaded, the extension's lifecycle hooks can trigger arbitrary system command execution on the server. This grants the attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or pivot to other systems within the network. The lack of authentication makes this vulnerability particularly concerning, as any unauthenticated user can potentially compromise the system. This resembles the impact of other extension-based vulnerabilities where malicious code is injected and executed with elevated privileges.
Contexte d'Exploitationtraduction en cours…
CVE-2025-66022 was publicly disclosed on 2025-11-26. The vulnerability is considered high probability due to the lack of authentication and the ease of uploading malicious extensions. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.
Qui Est à Risquetraduction en cours…
Organizations utilizing FACTION for penetration testing and report generation are at risk. This includes security teams, consultants, and any environment where FACTION is deployed. Shared hosting environments where multiple users have access to the FACTION instance are particularly vulnerable, as a compromised user account could be used to exploit the vulnerability.
Étapes de Détectiontraduction en cours…
• linux / server: Monitor system logs (journalctl) for suspicious activity related to extension installation or execution. Look for processes spawned by the FACTION user account that are executing unusual commands.
journalctl -u faction -f | grep -i 'extension' • generic web: Use curl to attempt access to the /portal/AppStoreDashboard endpoint without authentication. A successful response indicates the vulnerability is present.
curl -I http://<faction_server>/portal/AppStoreDashboard• windows / supply-chain: Examine scheduled tasks and autoruns entries for any suspicious FACTION-related tasks or startup programs.
Get-ScheduledTask | Where-Object {$_.TaskName -like '*faction*'}Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.81% (percentile 74%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-66022 is to immediately upgrade FACTION to version 1.7.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /portal/AppStoreDashboard endpoint using a Web Application Firewall (WAF) or proxy to block unauthorized requests. Review existing extensions for any signs of compromise. Monitor system logs for unusual activity related to extension installation or execution. Implement strict file access controls to limit the permissions of the FACTION user account. After upgrading, confirm the fix by attempting to access the /portal/AppStoreDashboard endpoint without authentication and verifying that access is denied.
Comment corrigertraduction en cours…
Actualice FACTION a la versión 1.7.1 o superior. Esta versión corrige la vulnerabilidad que permite la ejecución remota de código no autenticado. La actualización impedirá que atacantes suban extensiones maliciosas y ejecuten comandos arbitrarios en el servidor.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-66022 — RCE in FACTION PenTesting Framework?
CVE-2025-66022 is a critical Remote Code Execution vulnerability in FACTION versions prior to 1.7.1. An unauthenticated attacker can upload malicious extensions to execute arbitrary system commands.
Am I affected by CVE-2025-66022 in FACTION?
You are affected if you are running FACTION version 1.7.1 or earlier. Upgrade to version 1.7.1 to mitigate the risk.
How do I fix CVE-2025-66022 in FACTION?
Upgrade FACTION to version 1.7.1 or later. As a temporary workaround, restrict access to the /portal/AppStoreDashboard endpoint using a WAF or proxy.
Is CVE-2025-66022 being actively exploited?
While there is no confirmed active exploitation at this time, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Where can I find the official FACTION advisory for CVE-2025-66022?
Refer to the FACTION project's official website or security advisory page for the latest information and updates regarding CVE-2025-66022.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.