CVE-2025-60786 is a Zip Slip vulnerability identified in the import project functionality of iceScrum v7.54 Pro On-prem. Zip Slip (CWE-22) vulnerabilities occur when archive extraction processes fail to properly sanitize file paths, allowing crafted ZIP files to write files outside the intended directory. In this case, an attacker with limited privileges can upload a malicious ZIP archive containing files with path traversal sequences (e.g., ../) that escape the designated extraction folder. This enables overwriting or creation of arbitrary files on the server, potentially leading to arbitrary code execution. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges at the user level (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. Although no public exploits are currently known, the nature of Zip Slip vulnerabilities makes exploitation feasible once the vulnerability is understood. The lack of available patches at the time of publication increases risk. Organizations running iceScrum Pro On-prem should consider this a critical security issue due to the potential for remote code execution and system compromise.

For European organizations, this vulnerability poses a significant risk, especially those relying on iceScrum for agile project management in software development environments. Successful exploitation could lead to unauthorized code execution on servers, resulting in data breaches, service disruption, or full system compromise. Confidential project data and intellectual property could be exposed or altered, impacting business operations and compliance with data protection regulations such as GDPR. The vulnerability could also be leveraged as a foothold for lateral movement within corporate networks. Given the high CVSS score and the critical nature of arbitrary code execution, the impact on availability, integrity, and confidentiality is severe. Organizations without timely mitigation may face operational downtime and reputational damage. The risk is amplified in environments where iceScrum servers are internet-facing or have weak access controls.

1. Immediate mitigation involves restricting upload permissions to trusted users only and implementing strict input validation on ZIP file contents, ensuring no path traversal sequences are allowed during extraction. 2. Employ sandboxing or containerization for the import process to limit the impact of potential exploitation. 3. Monitor file system changes in the iceScrum application directories for unauthorized modifications. 4. Apply network segmentation to isolate iceScrum servers from critical infrastructure. 5. Implement robust logging and alerting to detect suspicious upload activities. 6. Since no official patch is currently available, consider temporary disabling of the import project feature if feasible. 7. Follow up with iceScrum vendor advisories for patches or updates addressing this vulnerability. 8. Conduct regular security assessments and penetration tests focusing on file upload functionalities. 9. Educate users about the risks of uploading untrusted files and enforce strict access controls. 10. Utilize application-layer firewalls or intrusion prevention systems to detect and block malicious ZIP uploads.