A critical remote code execution vulnerability, identified as CVE-2025-63601, has been discovered in Snipe-IT and potentially other products. This flaw allows an authenticated attacker to gain complete control over an affected system by uploading a malicious backup file, posing a severe risk of data theft, operational disruption, and further network compromise.

This is a critical remote code execution (RCE) vulnerability. An attacker who has valid credentials to the application can exploit this flaw by crafting a malicious backup archive (e.g., a .zip file). This archive can be embedded with a web shell or other malicious scripts. When the application's backup restoration feature processes this malicious file, it improperly validates the contents, leading to the extraction and execution of the embedded code with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation would grant an attacker full control over the application server. This could lead to a complete compromise of confidentiality, integrity, and availability. Potential consequences include the theft of sensitive asset management data, deployment of ransomware, service disruption, and using the compromised server as a pivot point to launch further attacks against the internal network. The business risks include significant data breaches, financial losses, reputational damage, and regulatory penalties.

Immediate Action:

• Immediately identify all vulnerable instances of Snipe-IT and update them to version 8.3.3 or a later patched version, as recommended by the vendor.
• Review access logs for any recent or unusual backup upload and restore activities, particularly from un-trusted sources or accounts.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for suspicious POST requests to the backup upload endpoint. Look for successful backup restores initiated by non-administrative users or at unusual times.
• File Integrity Monitoring (FIM): Implement FIM on the web server to detect the creation of unexpected files (e.g., .php, .jsp, .aspx) in the webroot directory, which could indicate a web shell.
• Network Traffic Analysis: Monitor for anomalous outbound network connections from the application server, which could signify a reverse shell or data exfiltration.

Compensating Controls:

• If immediate patching is not feasible, restrict access to the backup and restore functionality to a minimal number of highly trusted administrative accounts.
• Implement a Web Application Firewall (WAF) with rules to inspect file uploads and block archives containing executable file types or suspicious file paths.
• Ensure the application is running with the lowest possible user privileges to limit the impact of a potential code execution event.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability presents a severe and immediate risk to the organization. We strongly recommend that all vulnerable instances of Snipe-IT be patched to version 8.3.3 or later without delay. This vulnerability should be treated as the highest priority for remediation. Although not currently on the CISA KEV list, its severity makes it a likely candidate for future inclusion. Proactive patching is the most effective defense against potential exploitation.