ScriptCase Flaws Let Hackers Seize Servers Without Login

Two critical vulnerabilities in ScriptCase’s Production Environment module allow attackers to execute remote commands and gain full control of affected web servers. Security researchers from SYNACTIV identified that the ScriptCase flaws let hackers bypass authentication and inject system-level commands without requiring login credentials.

Tracked as CVE-2025-47227 and CVE-2025-47228, the bugs affect version 1.0.003-build-2 of the Production Environment module in ScriptCase 9.12.006. The first flaw enables password reset without verifying the original password. The second vulnerability allows shell injection through improperly sanitized SSH configuration parameters. These ScriptCase flaws let hackers chain both exploits to hijack servers in three simple steps.

Attackers can reset administrator passwords and run arbitrary commands as the web server user. No patch has been released. To mitigate risks, organizations should restrict access to the Production Environment and block specific PHP endpoints.

Read the full advisory to understand all technical details and mitigation steps:

ScriptCase Vulnerabilities Let Attackers Execute Remote Code and Gain Server Access