Associated Vulnerability
Title:PocketVJ CP 安全漏洞 (CVE-2025-63334)Description:PocketVJ CP是magdesign个人开发者的一个控制面板软件。 PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1版本存在安全漏洞,该漏洞源于submit_opacity.php组件未清理opacityValue POST参数的用户输入,可能导致远程攻击者以root权限执行任意命令。
Description
CVE-2025-63334
Readme
# 🔐 CVE-2025-63334: Critical RCE Vulnerability in PocketVJ CP — Technical & Mitigation Brief 🔐
---
## Summary
* **CVE:** **CVE-2025-63334**.
* **Vulnerability:** Unauthenticated **remote code execution (RCE)** due to an **OS command injection** (CWE-78) in `submit_opacity.php`. ([nvd.nist.gov][1])
* **Product / Affected versions:** PocketVJ CP (PocketVJ-CP-v3), **pvj 3.9.1 and earlier**. ([Gist][2])
* **Published / recorded:** First recorded 5–6 Nov 2025 in public feeds and NVD entries. ([nvd.nist.gov][1])
---
## Technical details (what's broken)
* The vulnerable code reads a POST parameter (`opacityValue`) and passes it directly to a shell command without sanitization, e.g.:
```php
$alphavalue = $_POST['opacityValue'];
shell_exec("sudo /var/www/sync/dbuscontrol.sh setalpha $alphavalue");
```
That allows an attacker to inject shell metacharacters and run arbitrary commands (as the user executing the web server / sudo target). ([Gist][2])
* **Attack vector:** network (HTTP POST). **Privileges required:** none. **User interaction:** none. Complexity: low. ([Gist][2])
---
## Severity / scores
* Multiple trackers report this as **Critical**. Examples of published scores:
* **CVSS v3.1:** **9.8 (Critical)** — Network, no privileges required, full Confidentiality/Integrity/Availability impact. ([Gist][3])
* Some sites also show a **CVSSv2** 10.0 vector representation. ([Tenable®][4])
(Use NVD / Tenable as authoritative inventory entries; scores may be updated as vendors supply additional info.) ([nvd.nist.gov][1])
---
## Proof-of-Concept (PoC) — defensive use only
* The researcher published a short PoC showing how to inject into `opacityValue`. Example POST body from the disclosure (sanitized here for clarity):
```
POST /submit_opacity.php
Content-Type: application/x-www-form-urlencoded
opacityValue=100;id>/tmp/poc.txt;
```
That payload creates `/tmp/poc.txt` (demonstrates command injection). Full PoC and analysis are in the public gist. Use only for detection/testing on your own systems. ([Gist][2])
---
## Immediate mitigations (what to do **right now**)
1. **If you run PocketVJ CP (pvj 3.9.1 or earlier) — isolate it:**
* Block public access to the web management interface immediately (network ACL / firewall / reverse proxy). Only allow access from trusted IPs or a VPN.
2. **Disable or restrict access to the vulnerable endpoint**:
* If possible, disable `submit_opacity.php` in the webroot or route requests to 403 until patched.
3. **Apply principle of least privilege**:
* Ensure the webserver user cannot run `sudo /var/www/sync/dbuscontrol.sh` without a password, or remove sudo rights for that script. Remove unsafe sudo entries in `/etc/sudoers`.
4. **Patch / update**:
* Check the vendor repository for an official patch or newer release and apply it. (Vendor repo / release page referenced in researcher report.) If a vendor patch is published, update immediately. ([GitHub][5])
5. **Temporary quick fix (if you must keep service online):**
* Replace the vulnerable `shell_exec(...)` call with a safe alternative using `escapeshellarg()` or avoid shell calls altogether (use internal APIs). Example safer pattern:
```php
$alpha = escapeshellarg($_POST['opacityValue']);
shell_exec("sudo /var/www/sync/dbuscontrol.sh setalpha $alpha");
```
— but note: escaping is a stopgap; a vendor patch is preferred. ([Gist][2])
6. **Hunt for compromise**:
* Look for newly created files, unusual processes, or network connections originating from the device/server since Nov 5–6, 2025 (or your local publish date). See detection section below.
---
# Detection / IDS rules & Indicators of Compromise (IoC)
* **HTTP indicators:** POST requests to `/submit_opacity.php` with suspicious characters such as `;`, `>` , `|`, `` ` ``, `$(`, `&&` in the `opacityValue` parameter. Example suspicious POST body:
```
opacityValue=100;whoami> /tmp/who;
```
* **Simple Snort/Suricata signature (example idea):**
* Alert on POST to `/submit_opacity.php` containing `opacityValue=` and shell metacharacters (`;`, `>`, `` ` ``, `&`).
* **Log checks:**
* Webserver access logs for POSTs to `/submit_opacity.php` from unfamiliar IPs.
* Shell history, new files under `/tmp` (like `/tmp/poc.txt`), unexpected `sudo` runs, new user accounts, creation of scheduled jobs (cron), unexpected outbound network traffic.
* **Host indicators:**
* Presence of files written by injected commands (e.g., `/tmp/poc.txt` in the PoC).
* Unexpected processes spawned by the web server user (check `ps aux` for suspicious commands).
* Use the PoC payload patterns in threat hunting but **do not run exploits on production systems** you do not own. ([Gist][2])
---
## Remediation & long-term fixes
* **Apply vendor patch** once available (monitor the vendor GitHub and NVD/Tenable entries). ([GitHub][5])
* **Code hygiene:** Remove direct shell calls that take user input. If shell calls are required, strictly validate input to a whitelist or use `escapeshellarg()` and avoid running as privileged users.
* **Hardening:** Run web apps in containers/VMs with minimal rights; avoid `sudo` from web-exposed scripts.
* **Monitoring:** Add an alerting rule for the specific endpoint and inspect logs historically to determine if the vulnerability was exploited.
---
## References (key sources)
1. NVD / CVE entry for **CVE-2025-63334** (description). ([nvd.nist.gov][1])
2. Researcher disclosure & PoC gist (complete technical writeup + PoC payload). ([Gist][2])
3. Tenable advisory / CVE aggregated entry (score text + summary). ([Tenable®][4])
4. CVEFeed summary (published timestamp / aggregation). ([cvefeed.io][6])
5. Vendor GitHub (PocketVJ-CP-v3 releases page). ([GitHub][5])
---
## Quick checklist you can run through now
* [ ] Block external access to PocketVJ web interface (firewall/ACL).
* [ ] Disable `/submit_opacity.php` or return 403s until patched.
* [ ] Search logs for POSTs to `/submit_opacity.php` since Nov 5–6, 2025.
* [ ] Hunt for suspicious files/processes (`/tmp/*`, `ps aux`, `crontab -l`).
* [ ] Audit `/etc/sudoers` for dangerous entries calling `dbuscontrol.sh` or similar.
* [ ] Watch vendor repo and NVD for an official patch; apply immediately once available. ([Gist][2])
---
File Snapshot
[4.0K] /data/pocs/4865ad38379e75c24d4d6432b5ddf67cac48e33a
└── [6.2K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.