If your organization uses ScriptCase — a popular low-code platform for building PHP web applications — recent security alerts should be taken seriously. Two major vulnerabilities have been discovered by cybersecurity researches with Synacktiv that could enable attackers to fully compromise affected servers, leading to potential data theft, system control, and more.
ScriptCase helps developers rapidly create PHP applications through a visual, drag-and-drop interface. While most use it during the development phase, some deploy its Production Environment (or prod console) directly on live servers for managing databases and server settings. Unfortunately, vulnerabilities in this component can be exploited to take over the entire system.
The Vulnerabilities
The two critical flaws have both been rated with a CVSS high severity score and still unpatched:
The first vulnerability, CVE-2025-47227, allows an attacker to bypass authentication and remotely reset the administrator password on the production console. This is achieved by sending specially crafted HTTP requests to the login page (prod/lib/php/devel/iface/login.php) and automating CAPTCHA solving—something readily achievable with OCR (Optical Character Recognition) tools. By chaining these requests, an attacker can reset the admin password without any prior credentials, gaining full administrative control over the console.
The second vulnerability, CVE-2025-47228, comes into play once the attacker has gained access. It involves a command injection flaw in how SSH connection settings are processed within the system. User inputs—such as SSH server addresses, ports, or local forwarding options—are concatenated directly into shell commands without proper sanitization. Attackers can inject malicious commands, like ; touch ghijkl ;, which are then executed by the server shell. This results in arbitrary command execution, allowing the attacker to run any commands they choose, leading to full control over the server environment.
These vulnerabilities are particularly dangerous because they require no prior authentication to initiate the attack and can be exploited remotely over the internet. Hackers can also automate the process to compromise multiple systems simultaneously.
If exploited, attackers could not only take over the production console but also gain full access to the underlying server, risking sensitive data and operational stability.
There’s currently no official fix or patches available yet. Until available, organizations utilizing ScriptCase should:
- Restrict network access to the production console, limiting it to trusted IP addresses.
- Block access to specific endpoints such as /prod/lib/php/devel/iface/login.php and related admin scripts via firewalls or reverse proxies.
- Monitor server logs for suspicious activity and stay informed about updates from the ScriptCase vendor and their release page and apply patches as soon as they become available.
Security is an ongoing challenge, and it’s crucial to minimize exposure especially in production environment to safeguard your systems by restricting access and implementing protective measures.
For detailed technical insights and updates, visit the official security report here.
Leave a Reply