CVE-2025-14701
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Crafty Controller's Server MOTD component allows remote unauthenticated attackers to inject malicious scripts. When users view the modified MOTD, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All Crafty Controller instances with the vulnerable component are affected.
💻 Affected Systems
- Crafty Controller
📦 What is this software?
Crafty Controller by Craftycontrol
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, compromise the Crafty Controller admin panel, pivot to underlying servers, or deploy ransomware on managed game servers.
Likely Case
Session hijacking leading to unauthorized access to the Crafty Controller interface, allowing attackers to modify server configurations, install malicious plugins, or disrupt game server operations.
If Mitigated
If proper input validation and output encoding are implemented, the malicious scripts would be rendered harmless as text rather than executed code.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and involves simple script injection into the MOTD field.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check the GitLab issue for specific patched version
Vendor Advisory: https://gitlab.com/crafty-controller/crafty-4/-/issues/647
Restart Required: Yes
Instructions:
1. Update Crafty Controller to the latest version. 2. Restart the Crafty Controller service. 3. Verify the fix by checking that script tags in MOTD are properly sanitized.
🔧 Temporary Workarounds
Disable Server MOTD Feature
allTemporarily disable the Server MOTD component to prevent exploitation.
Edit Crafty Controller configuration to disable MOTD feature
Implement WAF Rules
allConfigure web application firewall to block XSS payloads in MOTD requests.
Add WAF rule to filter script tags and JavaScript in MOTD parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Restrict network access to Crafty Controller admin interface using firewall rules or VPN.
🔍 How to Verify
Check if Vulnerable:
Attempt to inject a simple XSS payload like <script>alert('test')</script> into the Server MOTD field and see if it executes when viewed.Check Version:
Check Crafty Controller version in admin interface or via command: crafty --versionVerify Fix Applied:
After patching, test the same XSS payload; it should appear as plain text without executing.📡 Detection & Monitoring
Log Indicators:
- Unusual MOTD modifications containing script tags or JavaScript code
- Multiple failed login attempts followed by MOTD changes
Network Indicators:
- HTTP POST requests to MOTD endpoint with script payloads
- Unusual traffic patterns to Crafty Controller admin interface
SIEM Query:
source="crafty.log" AND ("MOTD" AND ("<script>" OR "javascript:"))