CVE-2025-48390 Overview
CVE-2025-48390 is a code injection vulnerability in FreeScout, a self-hosted help desk and shared mailbox application. The flaw exists in versions prior to 1.8.178 and stems from insufficient validation of user input in the php_path parameter. Backtick characters and tabulation are not stripped during input checks, allowing administrator-role users to execute arbitrary code on the host system. An attacker exploits the issue by creating a language translation, which generates a folder on disk, then references that path in tools.php as the php_path value. The file_exists call validates the folder while backtick characters embedded in the path trigger shell command execution. The issue is tracked as [CWE-94] Code Injection.
Critical Impact
An authenticated administrator can achieve arbitrary code execution on the FreeScout host through backtick injection in the php_path parameter.
Affected Products
- FreeScout versions prior to 1.8.178
- Self-hosted FreeScout help desk deployments
- Installations exposing administrator-accessible tools.php
Discovery Timeline
- 2025-05-29 - CVE-2025-48390 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-48390
Vulnerability Analysis
FreeScout exposes a settings interface that allows administrators to specify the PHP binary path through the php_path parameter. The application validates the supplied value with file_exists to confirm the file or directory exists on disk. The validation routine removes some shell metacharacters but fails to strip backticks and tab characters. PHP interprets backtick-enclosed strings as shell command execution operators, so any path containing backticks executes the wrapped command when processed downstream.
The exploit chain requires two steps. First, the attacker uses the language translation feature to create an attacker-controlled folder on the file system. This step ensures the file_exists check returns true. Second, the attacker submits the php_path value with embedded backticks pointing to the created folder, causing the shell command inside the backticks to execute on the server.
Root Cause
The root cause is incomplete input sanitization in the php_path validation logic. The filter strips a subset of dangerous characters but omits backticks and tab characters from its denylist. Combined with the file_exists precondition, this allows crafted paths to pass validation while still triggering command interpretation.
Attack Vector
The attack requires high privileges since only administrator-role accounts can modify the php_path setting and create language translations. The attack vector is network-based through the standard FreeScout web interface. No user interaction is needed once the administrator session is active. Successful exploitation yields command execution under the web server account, compromising confidentiality, integrity, and availability of the help desk host and any stored ticket data.
No public proof-of-concept exploit code is available. The vulnerability is described in the GitHub Security Advisory GHSA-5324-cw55-gwj5.
Detection Methods for CVE-2025-48390
Indicators of Compromise
- Unexpected language folders created under the FreeScout translations directory with names containing backtick or tab characters
- Modifications to the php_path configuration value containing non-standard characters such as backticks (`) or tabs
- Web server processes spawning shell utilities such as sh, bash, nc, curl, or wget from the FreeScout application context
- Outbound network connections from the FreeScout host to unknown infrastructure following administrator settings changes
Detection Strategies
- Audit FreeScout application logs for changes to the php_path setting and correlate with translation creation events
- Monitor file system creation events under the FreeScout resources/lang directory for folder names containing shell metacharacters
- Inspect the FreeScout configuration store for php_path values that deviate from expected binary paths such as /usr/bin/php
Monitoring Recommendations
- Alert on child process creation from the PHP-FPM or web server worker process tied to FreeScout when the child is a shell interpreter
- Track administrator account logins to FreeScout and review changes to system settings in the same session
- Enable verbose application auditing for the FreeScout tools.php endpoint and forward logs to a centralized SIEM
How to Mitigate CVE-2025-48390
Immediate Actions Required
- Upgrade FreeScout to version 1.8.178 or later, which contains the input validation fix
- Review administrator accounts and revoke access for any unused or shared credentials
- Audit existing language translation folders and the current php_path setting for signs of tampering
- Rotate credentials and API tokens stored within FreeScout if compromise is suspected
Patch Information
The vendor released the fix in FreeScout 1.8.178. The patch is available in commit fb33d672a2d67f5a2b3cf69c80945267f17908b2. The fix extends input sanitization to strip backtick and tab characters from the php_path parameter before validation and use.
Workarounds
- Restrict the FreeScout administrator role to a minimum set of trusted users until the patch is applied
- Place FreeScout behind a reverse proxy or VPN to limit network exposure of the administrative interface
- Apply file system permissions that prevent the web server user from creating arbitrary directories under the translations path
# Upgrade FreeScout to the patched release
cd /var/www/freescout
php artisan freescout:upgrade
php artisan --version
# Verify FreeScout reports version 1.8.178 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
