CVE-2025-66022
📋 TL;DR
CVE-2025-66022 is a critical vulnerability in FACTION PenTesting Report Generation Framework that allows unauthenticated attackers to upload malicious extensions and execute arbitrary system commands on the server. This results in full remote code execution (RCE) on the host running FACTION. All FACTION instances prior to version 1.7.1 are affected.
💻 Affected Systems
- FACTION PenTesting Report Generation and Collaboration Framework
📦 What is this software?
Faction by Owasp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FACTION server with attacker gaining full system access, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Unauthenticated attacker executes arbitrary commands to compromise the server, potentially stealing sensitive penetration testing data, credentials, and gaining foothold in the network.
If Mitigated
If network segmentation and strict access controls are in place, impact may be limited to the FACTION server itself without lateral movement capabilities.
🎯 Exploit Status
The vulnerability requires minimal technical skill to exploit due to the unauthenticated access and straightforward extension upload mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1
Vendor Advisory: https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w
Restart Required: Yes
Instructions:
1. Backup your FACTION data and configuration. 2. Stop the FACTION service. 3. Update to version 1.7.1 using your deployment method (Docker, manual install, etc.). 4. Restart the FACTION service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to FACTION web interface to trusted IP addresses only
# Example using iptables for Linux
iptables -A INPUT -p tcp --dport [FACTION_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [FACTION_PORT] -j DROP
Authentication Proxy
allPlace FACTION behind a reverse proxy with authentication (like nginx with basic auth)
# nginx basic auth configuration example
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:[FACTION_PORT];
}
🧯 If You Can't Patch
- Immediately isolate the FACTION server from the network or place it in a highly restricted network segment
- Implement strict network access controls to limit which systems can communicate with the FACTION instance
🔍 How to Verify
Check if Vulnerable:
Check FACTION version via web interface or configuration files. If version is below 1.7.1, the system is vulnerable.Check Version:
Check FACTION web interface or examine package/docker version. For Docker: docker ps --filter "name=faction" --format "{{.Image}}"Verify Fix Applied:
After updating, verify version is 1.7.1 or higher and test that unauthenticated access to /portal/AppStoreDashboard is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to /portal/AppStoreDashboard
- Extension upload events from unauthenticated users
- Unusual system command execution from FACTION process
Network Indicators:
- HTTP POST requests to extension upload endpoints from unauthenticated sources
- Outbound connections from FACTION server to suspicious destinations
SIEM Query:
source="faction.log" AND (uri_path="/portal/AppStoreDashboard" OR event="extension_upload") AND user="unauthenticated"