CVE-2026-27012: OpenSTAManager RCE — Critical — Patch Now

Patch now - CVE-2026-27012 is a critical privilege escalation in OpenSTAManager 2.9.8 and earlier that lets an unauthenticated attacker bypass all access controls and arbitrarily assign any account to the Administrators group, yielding full system compromise. Upgrade immediately to a version newer than 2.9.8.

Overview

A critical security vulnerability has been identified in OpenSTAManager, an open-source platform for managing technical assistance and invoicing. This flaw allows an attacker to bypass normal authentication and escalate privileges, fundamentally compromising the security of the application.

Vulnerability Details

In OpenSTAManager versions 2.9.8 and earlier, a specific file (modules/utenti/actions.php) does not properly verify a user’s permissions. An attacker can send a direct, crafted web request to this file to arbitrarily change the assigned user group (idgruppo) for any account in the system.

This means an attacker could, for example, take a low-privilege “Agent” account and change its group membership to the powerful “Amministratori” (Administrators) group. Conversely, they could also demote existing administrators, removing their access and control.

Potential Impact

The impact of this vulnerability is severe. A successful exploit leads to a complete breach of the application’s access controls with the following consequences:

• Full System Compromise: An attacker can gain full administrative access to the OpenSTAManager instance.
• Data Manipulation and Theft: With admin rights, all data-including sensitive customer information, financial records, and service tickets-can be viewed, altered, or stolen.
• Service Disruption: Administrators can be demoted or locked out, and system settings can be changed to disrupt business operations.
• Further Network Attacks: The compromised application could be used as a foothold to launch additional attacks within the network.

This vulnerability is remotely exploitable with low attack complexity, requiring no special privileges or user interaction, leading to its critical CVSS score of 9.8.

Remediation and Mitigation

Immediate action is required for all users of OpenSTAManager.

Primary Remediation: The only complete solution is to upgrade OpenSTAManager to a patched version. The maintainers have addressed this vulnerability in a subsequent release. You must upgrade to a version newer than 2.9.8 immediately. Always obtain software updates directly from the official project repository.

Temporary Mitigation (If Upgrade is Delayed): If an immediate upgrade is not possible, consider these interim steps:

1. Restrict Access: Use a web application firewall (WAF) or network access controls to block direct external access to the modules/utenti/ directory path.
2. Monitor Logs: Closely monitor application and web server logs for any suspicious access attempts to the actions.php file.
3. Review User Accounts: Audit all user accounts, especially those in the Administrators group, for any unauthorized changes.

These are temporary measures and do not replace the need for patching. You should plan and execute the upgrade to a secure version as your highest priority.