CVE-2025-47221
📋 TL;DR
This vulnerability allows administrators in Keyfactor SignServer to write arbitrary files to any directory accessible by the JBoss user. Attackers with admin credentials can overwrite existing files, potentially leading to system compromise. Only SignServer installations with admin users are affected.
💻 Affected Systems
- Keyfactor SignServer
📦 What is this software?
Signserver by Keyfactor
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could overwrite critical system files, install backdoors, escalate privileges to root, or achieve remote code execution by modifying configuration files.
Likely Case
Malicious administrators or compromised admin accounts could overwrite application files, modify configurations, or plant persistence mechanisms within the server's file system.
If Mitigated
With proper access controls and admin account security, the risk is limited to authorized administrators making configuration errors.
🎯 Exploit Status
Exploitation requires admin credentials. The vulnerability is straightforward to exploit once admin access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.2
Vendor Advisory: https://support.keyfactor.com/hc/en-us/articles/37639116791067-SignServer-CVE-2025-47221-Arbitrary-file-write
Restart Required: Yes
Instructions:
1. Download SignServer 7.3.2 from Keyfactor support portal. 2. Backup current installation and configuration. 3. Stop the SignServer service. 4. Apply the 7.3.2 update following Keyfactor's upgrade documentation. 5. Restart the SignServer service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to only trusted personnel and implement strong authentication controls.
Monitor Configuration Changes
allImplement monitoring for changes to ARCHIVETODISK configuration properties.
🧯 If You Can't Patch
- Implement strict access controls for admin accounts and monitor admin activity
- Restrict file system permissions for the JBoss user to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check SignServer version via admin interface or configuration files. If version is below 7.3.2, the system is vulnerable.Check Version:
Check the SignServer admin web interface or examine the signserver-deploy.properties file for version information.Verify Fix Applied:
Verify the version is 7.3.2 or higher in the admin interface or configuration. Test that ARCHIVETODISK properties cannot be set to arbitrary paths.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to ARCHIVETODISK configuration properties
- Admin account logins from unexpected locations/times
- File write operations in unexpected directories
Network Indicators:
- Admin interface access from unauthorized IP addresses
SIEM Query:
source="signserver" AND (event_type="configuration_change" AND config_property="ARCHIVETODISK*") OR (event_type="admin_login" AND result="success")