A critical remote code execution vulnerability has been identified in multiple Frappe products, assigned CVE-2025-68929 with a CVSS score of 9. An attacker can exploit this flaw by tricking a privileged, authenticated user into clicking a specially crafted link, which allows the attacker to execute arbitrary code and gain full control of the affected server. Immediate patching is required to prevent potential system compromise, data theft, and operational disruption.

This vulnerability is a server-side template injection that leads to remote code execution (RCE). An attacker must first craft a malicious URL containing a payload designed to be interpreted as a server-side template. The attacker then delivers this link to an authenticated user who possesses specific, elevated permissions within the application. If the victim clicks the link, the Frappe framework processes the malicious payload, executing the embedded code on the server with the privileges of the web application service account, resulting in a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9. Successful exploitation grants an attacker complete control over the application server, posing a severe risk to the business. Potential consequences include the theft or modification of sensitive corporate and customer data, deployment of ransomware, disruption of critical business operations relying on the Frappe-based application, and using the compromised server as a pivot point to attack other internal network resources. The reputational and financial damage from such a breach could be substantial.

Immediate Action: Immediately upgrade all instances of Frappe products to a patched version (14.99.6, 15.88.1, or later) as recommended by the vendor. After patching, review web server and application access logs for any unusual requests or signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of application and web server logs. Look for suspicious GET or POST requests, particularly those containing template syntax (e.g., {{ ... }}, {% ... %}), unexpected URL parameters, or calls to system commands. Monitor for any anomalous processes spawned by the web server's user account and unusual outbound network connections from the server.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use a Web Application Firewall (WAF) with rules designed to detect and block template injection attacks.
• Strictly review and limit the number of users with the "specific permissions" required to trigger this vulnerability.
• Conduct user awareness training to educate privileged users on the risks of clicking untrusted or suspicious links, even if they appear to originate from a known application.

Public Exploit Available: false

Due to the critical severity of this vulnerability and its potential for complete system compromise, it is strongly recommended that organizations prioritize the immediate application of vendor-supplied patches to all affected Frappe instances. Although this CVE is not currently listed on the CISA KEV catalog, its high CVSS score warrants urgent attention. All remediation and monitoring actions should be implemented without delay to mitigate the significant risk to the organization.