CVE-2025-5139 – This critical vulnerability in Qualitor 8.20/8.... (How to Fix)

Q: What is the severity of CVE-2025-5139?

CVE-2025-5139 has a CVSS score of 5.6 (MEDIUM). This critical vulnerability in Qualitor 8.20/8.24 allows remote attackers to execute arbitrary commands through command injection in the Office 365 connection handler. Attackers can exploit this by manipulating the 'nmconexao' parameter in the testaConexaoOffice365.php file. Organizations running affected Qualitor versions with the Office 365 integration enabled are at risk.

📋 TL;DR

This critical vulnerability in Qualitor 8.20/8.24 allows remote attackers to execute arbitrary commands through command injection in the Office 365 connection handler. Attackers can exploit this by manipulating the 'nmconexao' parameter in the testaConexaoOffice365.php file. Organizations running affected Qualitor versions with the Office 365 integration enabled are at risk.

💻 Affected Systems

Products:

Qualitor

Versions: 8.20 to 8.20.55, 8.24 to 8.24.30

Operating Systems: Any OS running Qualitor

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Office 365-type Connection Handler component to be enabled/accessible.

📦 What is this software?

Qualitor by Qualitor

View all CVEs affecting Qualitor →

Qualitor by Qualitor

View all CVEs affecting Qualitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with the web server's privileges, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Limited command execution within the web server context, potentially allowing file system access, credential harvesting, or installation of backdoors.

🟢

If Mitigated

Attack fails due to input validation, proper WAF rules, or network segmentation preventing access to vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit script available on GitHub gist, though exploitation is described as difficult. Remote attack vector confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.20.56 or 8.24.31

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Download patched version from Qualitor vendor. 3. Apply patch according to vendor instructions. 4. Restart Qualitor services. 5. Verify fix by checking version.

🔧 Temporary Workarounds

Disable Office 365 Connection Handler

linux

Temporarily disable the vulnerable component if Office 365 integration is not required

# Remove or rename the vulnerable file
mv /html/ad/adconexaooffice365/request/testaConexaoOffice365.php /html/ad/adconexaooffice365/request/testaConexaoOffice365.php.disabled

Implement WAF Rules

all

Add web application firewall rules to block suspicious patterns in nmconexao parameter

🧯 If You Can't Patch

Network segmentation: Restrict access to Qualitor instance to trusted IPs only
Implement strict input validation and sanitization for the nmconexao parameter

🔍 How to Verify

Check if Vulnerable:

Check if file /html/ad/adconexaooffice365/request/testaConexaoOffice365.php exists and contains unsanitized input handling for nmconexao parameter

Check Version:

# Check Qualitor version through admin interface or configuration files

Verify Fix Applied:

Verify version is 8.20.56 or higher (for 8.20 branch) or 8.24.31 or higher (for 8.24 branch)

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /html/ad/adconexaooffice365/request/testaConexaoOffice365.php
Suspicious command execution patterns in web server logs
Multiple failed connection attempts with unusual nmconexao values

Network Indicators:

Unusual outbound connections from Qualitor server
Traffic to unexpected ports from web server process

SIEM Query:

source="qualitor_logs" AND uri="/html/ad/adconexaooffice365/request/testaConexaoOffice365.php" AND (param="nmconexao" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "$")

📊 Metadata

CVE ID: CVE-2025-5139

CVSS v3 Score: 5.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.5% exploit probability (65.6th percentile)

Published: May 25, 2025

Last Updated: June 24, 2025

🔗 References

https://gist.githubusercontent.com/MatheuZSecurity/fe221fd5b2e5393abf76be42f11f52c3/raw/e8d9c63885f0b83b3374db3d31dbe2c69c868334/poc.sh Broken Link
https://vuldb.com/?ctiid.310220 Permissions Required,VDB Entry
https://vuldb.com/?id.310220 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.572477 Third Party Advisory,VDB Entry
https://www.youtube.com/watch?v=Dq4C5s9Uwyo Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5139, you might also want to check these: