A critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2025-60355, has been discovered in zhangyd-c OneBlog versions prior to 2.3.9. This flaw allows an unauthenticated attacker to inject malicious code into a server-side template, leading to remote code execution. Successful exploitation could result in a complete compromise of the affected server, enabling data theft, service disruption, and further network intrusion.

The vulnerability is a Server-Side Template Injection (SSTI) within the FreeMarker template engine used by the OneBlog application. An attacker can submit specially crafted input to a feature that renders content using a FreeMarker template. Because the application fails to properly sanitize this user-supplied input, the template engine executes it as a directive, allowing the attacker to access the underlying server's objects and methods. This can be leveraged to execute arbitrary operating system commands with the privileges of the web server application, resulting in full Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation could lead to a complete compromise of the affected server, granting an attacker full control. Potential consequences include the exfiltration of sensitive data (such as customer information, credentials, and intellectual property), deployment of ransomware, disruption of business operations, and significant reputational damage. The compromised server could also be used as a foothold to launch further attacks against the internal network, escalating the security incident.

Immediate Action: Immediately update all instances of zhangyd-c OneBlog to version 2.3.9 or later to patch the vulnerability. After patching, it is crucial to monitor for any signs of post-compromise activity and review access logs for indicators of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced logging and monitoring on affected systems. Security teams should search web server access logs and application logs for suspicious patterns indicative of SSTI, such as strings containing FreeMarker syntax (e.g., ${...}, <#... >, ?new()). Monitor for unexpected child processes being spawned by the web server process (e.g., sh, bash, cmd.exe, powershell.exe) and anomalous outbound network connections from the server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block common SSTI payloads. Additionally, ensure the application is running with the lowest possible user privileges to limit the impact of a potential compromise. Network segmentation can also help contain an attacker and prevent lateral movement from a compromised server.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the high probability of exploitation, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected systems be patched immediately without delay. The absence of this CVE from the CISA KEV list should not reduce the urgency; it simply means it has not yet been observed in widespread attacks. Organizations must prioritize the remediation of this flaw to prevent a full system compromise.