CVE-2025-60786 is a Zip Slip vulnerability identified in the import project component of iceScrum version 7.54 Pro On-premises. Zip Slip is a well-known directory traversal vulnerability that occurs when archive extraction processes fail to properly sanitize file paths within ZIP files, allowing attackers to write files outside the intended extraction directory. In this case, an attacker can craft a malicious ZIP archive containing files with path traversal sequences (e.g., ../) that, when extracted by the vulnerable import functionality, overwrite critical system or application files. This can lead to arbitrary code execution, as the attacker can place executable scripts or binaries in locations that the system or application will run. The vulnerability requires the attacker to upload a ZIP file via the import project feature, which may or may not require authentication depending on the deployment configuration. No CVSS score has been assigned yet, and no patches or mitigations have been officially published. The vulnerability was reserved in late September 2025 and published in mid-December 2025. Although no exploits are known in the wild, the nature of Zip Slip vulnerabilities and the ability to execute arbitrary code make this a critical risk. Organizations using iceScrum v7.54 Pro On-prem should consider this a priority security issue.

The primary impact of CVE-2025-60786 is the potential for arbitrary code execution on systems running the vulnerable iceScrum version. For European organizations, this could lead to full system compromise, data breaches, disruption of agile project management workflows, and potential lateral movement within internal networks. Given iceScrum's role in managing software development projects, attackers could also manipulate project data, inject malicious code into development pipelines, or disrupt collaboration. The impact extends to confidentiality, integrity, and availability of organizational data and services. In regulated industries common in Europe, such as finance, healthcare, and critical infrastructure, such a compromise could lead to regulatory penalties and reputational damage. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation via crafted ZIP files means the threat could quickly escalate once weaponized.

To mitigate CVE-2025-60786, organizations should immediately restrict access to the import project feature to trusted users only, ideally behind strong authentication and network segmentation. Implement strict validation and sanitization of uploaded ZIP files, ensuring that file paths do not contain directory traversal sequences before extraction. Use secure extraction libraries or update the extraction logic to enforce extraction within a designated safe directory. Monitor system and application logs for unusual file extraction activities or unauthorized file modifications. If possible, upgrade to a patched version of iceScrum once available or apply vendor-provided workarounds. Employ application-layer firewalls or intrusion prevention systems to detect and block malicious ZIP uploads. Conduct regular security audits of the iceScrum deployment and educate users about the risks of uploading untrusted files. Finally, maintain up-to-date backups to enable recovery in case of compromise.