IPW Systems Metazo Vulnerability (CVE-2025-46661) Leads to Remote Code Execution via Template Injection

🚨 Critical Security Vulnerability

🆔 CVE-2025-46661
💣 CVSS Score: 10.0 (Critical)
📅 Published: April 28, 2025

🔹 Summary

A critical vulnerability has been identified in IPW Systems Metazo versions up to 8.1.3. The flaw resides in the smartyValidator.php component, which fails to properly sanitize user-supplied input. This oversight allows attackers to inject malicious template expressions, leading to unauthenticated Remote Code Execution (RCE) on the affected system. The vulnerability is classified under CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine.

🔸 Affected Product

• Product: IPW Systems Metazo
• Affected Versions: Up to and including 8.1.3
• Vulnerable Component: smartyValidator.php
• Vulnerability Type: Server-Side Template Injection (SSTI)

⚙️ Technical Details

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Scope: Changed
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: None
• CWE ID: CWE-1336

🛡️ Recommended Actions

• Immediate Patch: Upgrade to the latest version of IPW Systems Metazo beyond 8.1.3, where this vulnerability has been addressed.
• Input Validation: Implement strict input validation and sanitization to prevent template injection attacks.
• Access Controls: Restrict access to the smartyValidator.php component to trusted users only.
• Monitoring: Continuously monitor systems for unusual activities that may indicate exploitation attempts.

🔗 References

• CVE Details – CVE-2025-46661
• IPW Systems Official Website
• Code White Public Vulnerability List

Note: Organizations utilizing IPW Systems Metazo should prioritize the application of the provided patches and review their systems for any signs of compromise.