A critical vulnerability (CVE-2025-46661) has been identified in IPW Systems Metazo versions up to 8.1.3, allowing unauthenticated remote code execution through server-side template injection in the smartyValidator.php component. The flaw carries a maximum CVSS score of 10.0 and has been patched by the vendor as of April 28, 20251.
Executive Summary
This vulnerability affects all deployments of IPW Systems Metazo through version 8.1.3. The smartyValidator.php component improperly processes template expressions, enabling attackers to execute arbitrary code without authentication. The vendor has released patches, and all instances should be upgraded immediately.
- CVSS Score: 10.0 (Critical)
- Attack Vector: Network (remotely exploitable)
- Impact: Complete system compromise
- Affected Versions: Metazo ≤ 8.1.3
- Patch Status: Available in versions > 8.1.3
Technical Analysis
The vulnerability stems from improper input validation in the smartyValidator.php component, which processes template expressions. Attackers can craft malicious template expressions that bypass security controls, leading to server-side template injection (SSTI). This weakness has been classified under CWE-1336 (Improper Neutralization in Template Engine)2.
The CVSS v3.1 vector string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) indicates the attack can be performed remotely without privileges or user interaction, with high impacts on confidentiality and integrity. The scope is changed, meaning the vulnerability can affect components beyond the vulnerable application3.
Impact and Exploitation
Successful exploitation allows complete system takeover through remote code execution. While no public exploits are currently available, the critical nature of this vulnerability makes it a prime target for attackers. The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely.
Security researchers have confirmed the vulnerability affects the default configuration of Metazo installations. The smartyValidator.php component is typically accessible to unauthenticated users, making this an attractive attack vector for threat actors4.
Mitigation and Remediation
The primary mitigation is upgrading to Metazo version 8.1.4 or later. For organizations unable to immediately patch, temporary workarounds include:
- Restrict network access to smartyValidator.php using web application firewalls or network ACLs
- Implement strict input validation for all template expressions
- Monitor logs for unusual access patterns to smartyValidator.php
Security teams should prioritize patching any internet-facing Metazo installations, as these are most vulnerable to exploitation attempts. The vendor has confirmed all supported versions now include the fix5.
Detection and Response
Organizations should search for the following indicators of compromise:
| Detection Method | Indicator |
|---|---|
| Web Server Logs | Unusual POST requests to smartyValidator.php containing template expressions |
| Network Traffic | Unexpected outbound connections from Metazo servers |
| File System | New or modified files in web-accessible directories |
Security operations teams should review any alerts related to Metazo systems and investigate suspicious activity. The vulnerability has been actively discussed in security forums, increasing the likelihood of exploitation attempts6.
Conclusion
CVE-2025-46661 represents a severe threat to organizations using vulnerable versions of IPW Systems Metazo. The combination of remote exploitability, lack of authentication requirements, and maximum CVSS score makes this one of the most critical vulnerabilities disclosed this year. Immediate patching is strongly recommended, along with thorough system reviews for signs of compromise.
References
- “CVE-2025-46661 Detail,” National Vulnerability Database, [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-46661 [Accessed: Apr. 28, 2025].
- “CVE-2025-46661,” MITRE CVE, [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46661 [Accessed: Apr. 28, 2025].
- “Tenable Analysis of CVE-2025-46661,” Tenable, [Online]. Available: https://www.tenable.com/cve/CVE-2025-46661 [Accessed: Apr. 28, 2025].
- “GHSA-65hw-c9g5-r8mm,” GitHub Advisory, [Online]. Available: https://github.com/advisories/GHSA-65hw-c9g5-r8mm [Accessed: Apr. 28, 2025].
- “Vulners CVE-2025-46661,” Vulners, [Online]. Available: https://vulners.com/cve/CVE-2025-46661 [Accessed: Apr. 28, 2025].
- “Exploitation Alert for CVE-2025-46661,” Dark Web Informer, [Online]. Available: https://darkwebinformer.com/ipw-systems-metazo-vulnerability-cve-2025-46661-leads-to-remote-code-execution-via-template-injection/ [Accessed: Apr. 28, 2025].
