Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-46157 Product: Timetrax V1 (2025) Vulnerability Type: Remote Code Execution (RCE) and Privilege Escalation Vulnerability Details Remote Code Execution (RCE) - Component: Leave application form in the Attendance module - Cause: Insecure server-side file validation - Attack Vector: Modify upload request to change file extension to - Impact: Full command execution on the server Privilege Escalation - Technique: EfsPotato - Abused Privilege: SeImpersonatePrivilege - Result: SYSTEM-level access - AV Evasion: Achieved using obfuscated payload CVSS v3.1 Score Base Score: 9.9 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Proof of Concept (PoC) 1. Remote Code Execution - Log in to Timetrax using valid user credentials. - Navigate to the leave application form under the Attendance module. - Upload a file, intercept the HTTP request using Burp Suite. - Modify the file extension in the request from to . - Send the request. The server will return a URL for the uploaded file. - Access the URL to trigger the malicious Web Shell. 2. Privilege Escalation - Use the EfsPotato exploit to abuse SeImpersonatePrivilege. - Obfuscate binary or payload to bypass AV detection. - Obtain SYSTEM-level shell and create a new administrator account as proof. Affected Versions Timetrax V1 (2025) Mitigation Measures Enforce strong password policies and enable Multi-Factor Authentication (MFA). Properly validate and sanitize uploaded files on the server. Restrict use of to only necessary accounts. Apply operating system patches to mitigate EfsPotato. Disable EPS if not required. Disclosure Information Discoverer: Noman Azam Email: noman@technobiz.com.pk CVE ID: CVE-2025-46157 References EfsPotato Exploit