CVE-2025-47221 is a vulnerability identified in Keyfactor SignServer versions prior to 7.3.2 that allows arbitrary file write operations on the server filesystem by an authenticated user with administrative privileges. The root cause lies in the improper validation of configuration properties related to archive file storage: ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, and ARCHIVETODISK_PATH_PATTERN. These properties can be manipulated to specify arbitrary file paths, including those pointing to existing files, enabling an attacker to overwrite files accessible by the local JBoss user. Since Keyfactor SignServer is used for certificate lifecycle management and signing operations, compromising its file integrity could lead to manipulation of critical files, potentially impacting the signing process or server stability. The vulnerability does not allow remote unauthenticated exploitation; it requires admin-level access, which limits the attack surface but still poses a significant risk if admin credentials are compromised or misused. The CVSS 3.1 base score of 5.3 reflects a medium severity, with network attack vector, low attack complexity, no privileges required (PR:N in vector likely means no additional privileges beyond admin), no user interaction, and limited impact on integrity without affecting confidentiality or availability. No known exploits have been reported in the wild, and no official patches are linked yet, though upgrading to version 7.3.2 or later is recommended. The vulnerability is classified under CWE-284 (Improper Access Control), highlighting the failure to restrict configuration parameters properly.

For European organizations, especially those relying on Keyfactor SignServer for certificate management and signing operations, this vulnerability could lead to unauthorized modification of critical files on the server. This may result in the corruption or manipulation of certificate archives, potentially undermining the trustworthiness of PKI operations. While the vulnerability requires admin access, insider threats or compromised admin credentials could be exploited to overwrite files, leading to integrity breaches. This could disrupt secure communications, authentication, and digital signing processes, impacting sectors such as finance, government, healthcare, and critical infrastructure. The impact is primarily on data integrity, with no direct confidentiality or availability effects reported. However, indirect availability issues could arise if overwritten files cause service failures. Given the strategic importance of PKI in European digital infrastructure, exploitation could have cascading effects on compliance with regulations like eIDAS and GDPR, especially if certificate validity or audit trails are affected.

European organizations should immediately verify their Keyfactor SignServer version and upgrade to version 7.3.2 or later where this vulnerability is addressed. Until upgrading, restrict administrative access strictly to trusted personnel and implement multi-factor authentication to reduce the risk of credential compromise. Audit and monitor configuration changes to the ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, and ARCHIVETODISK_PATH_PATTERN properties to detect unauthorized modifications. Employ file integrity monitoring on directories accessible by the JBoss user to detect unexpected file overwrites. Limit the permissions of the JBoss user to the minimum necessary to reduce the impact of potential overwrites. Additionally, conduct regular security training for administrators to prevent misuse of privileges. Network segmentation and strict firewall rules should be applied to limit access to the SignServer management interfaces. Finally, maintain up-to-date backups of critical files and configurations to enable recovery in case of compromise.