CVE-2025-26845
📋 TL;DR
CVE-2025-26845 is an eval injection vulnerability in Znuny that allows authenticated users with configuration write access to execute arbitrary commands via the backup.pl script. This affects all Znuny installations up to version 7.1.3. Attackers can achieve remote code execution with the privileges of the user running the backup script.
💻 Affected Systems
- Znuny
📦 What is this software?
Znuny by Znuny
Znuny by Znuny
Znuny by Znuny
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with the privileges of the backup script user, potentially leading to data theft, system takeover, or lateral movement.
Likely Case
Authenticated attackers with configuration access can execute arbitrary commands, potentially gaining shell access, exfiltrating data, or installing malware.
If Mitigated
With proper access controls limiting configuration write permissions, impact is reduced to authorized users only, though they could still misuse legitimate access.
🎯 Exploit Status
Exploitation requires authenticated access with configuration write permissions; once obtained, command injection is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.4 or later
Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2025-03
Restart Required: Yes
Instructions:
1. Backup your Znuny installation and database. 2. Download Znuny 7.1.4 or later from official sources. 3. Follow the official upgrade guide at docs.znuny.org. 4. Restart all Znuny services after upgrade.
🔧 Temporary Workarounds
Restrict configuration file permissions
linuxLimit write access to Znuny configuration files to only essential administrative users
chmod 640 /path/to/znuny/config/files/*
chown root:znuny /path/to/znuny/config/files/*
Disable backup.pl script access
linuxRemove execute permissions or restrict access to backup.pl script for non-admin users
chmod 750 /path/to/znuny/bin/backup.pl
chown root:znuny /path/to/znuny/bin/backup.pl
🧯 If You Can't Patch
- Implement strict access controls to limit configuration file write permissions to only essential administrators
- Monitor and audit all configuration file modifications and backup script executions
🔍 How to Verify
Check if Vulnerable:
Check Znuny version: if version is 7.1.3 or earlier, system is vulnerable. Also verify if users have write access to configuration files.Check Version:
znuny.Console.pl --versionVerify Fix Applied:
After patching, verify version is 7.1.4 or later and test that eval injection attempts in configuration files no longer execute commands.📡 Detection & Monitoring
Log Indicators:
- Unusual configuration file modifications
- Suspicious commands in backup.pl execution logs
- Unexpected system command execution from Znuny user
Network Indicators:
- Unusual outbound connections from Znuny server following configuration changes
SIEM Query:
source="znuny" AND (event="configuration_modified" OR event="backup_executed") AND user NOT IN ["authorized_admin_users"]