CVE-2026-25855: OpenBullet2 Remote Code Execution via Malicious Script Upload
OpenBullet2 versions up to 0.3.2 contain a critical flaw that allows logged-in users to run arbitrary commands on servers hosting the application. By uploading malicious script files through the FileProxySource feature—which is meant to load proxy configurations—attackers can trick the server into executing those scripts. The server then processes the output and returns it as proxy data, effectively giving the attacker command-line control over the machine running OpenBullet2. This vulnerability requires prior authentication but poses severe risk once an attacker gains initial access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-14
NVD description (verbatim)
OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-25855 is a post-authentication remote code execution vulnerability in OpenBullet2 through version 0.3.2. The vulnerability exists in the FileProxySource proxy loading mechanism, which insufficiently validates uploaded script files. An authenticated attacker can upload malicious files with script extensions (.bat, .ps1, .sh) to the proxy loading functionality. During processing, the server executes these scripts as part of its normal proxy parsing operation, returning command output as proxy configuration lines. The attack exploits improper input handling and lack of sandbox isolation for script execution. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) is the root cause. The vulnerability allows full system compromise with the privileges of the OpenBullet2 process.
Business impact
Organizations running OpenBullet2 face potential complete server compromise if any authenticated user account is compromised or if administrative access is misused. Attackers gain the ability to exfiltrate sensitive data, modify configurations, deploy secondary malware, pivot to other systems, or cause denial of service. For teams using OpenBullet2 in production environments (e.g., for proxy management or security testing), this vulnerability directly enables lateral movement and persistent foothold establishment within infrastructure. The impact is especially severe if the process runs with elevated privileges or within privileged network segments.
Affected systems
All installations of OpenBullet2 through version 0.3.2 are affected. The vulnerability requires the attacker to have valid authentication credentials, so blast radius is limited to environments where OpenBullet2 access is already partially compromised or where weak credential hygiene exists. Any deployment exposing OpenBullet2 to untrusted users or to environments where credential theft is a realistic threat vector should be considered at immediate risk.
Exploitability
Exploitability is high from a technical standpoint: no complex exploitation technique is required—attackers simply upload a malicious script file through an existing feature. However, the requirement for prior authentication significantly reduces the immediate threat surface. The vulnerability becomes critical in scenarios where OpenBullet2 is exposed to internal users with weak passwords, shared accounts, or where authentication is bypassed through other means. No public proof-of-concept or active exploitation has been documented as of the last update, but the straightforward nature of the vulnerability makes exploitation trivial once access is obtained.
Remediation
Upgrade OpenBullet2 to a patched version beyond 0.3.2 immediately. Verify the availability and contents of vendor patches through official OpenBullet2 release channels. Until patching is possible, implement strict network segmentation to restrict access to OpenBullet2 to only trusted administrative users. Enforce multi-factor authentication for all OpenBullet2 accounts, audit and revoke unnecessary credentials, and monitor proxy loading activities for suspicious file uploads. Disable the FileProxySource feature if not actively required.
Patch guidance
Check the official OpenBullet2 repository and release notes for versions released after 0.3.2 that address this vulnerability. Apply the latest stable patch that includes fixes for CVE-2026-25855. Before deployment, validate patches in a non-production environment to ensure compatibility with your proxy configurations and dependent workflows. Document the patch version applied for audit and compliance purposes.
Detection guidance
Monitor OpenBullet2 logs for unusual file upload activity to the FileProxySource proxy loading endpoint, particularly uploads containing script extensions (.bat, .ps1, .sh). Look for authentication events followed by rapid proxy source configuration changes or upload operations. Network-based detection should flag outbound connections initiated from the OpenBullet2 process that deviate from normal proxy activity. Implement file integrity monitoring on OpenBullet2 configuration and script directories. Examine process execution logs for instances of cmd.exe, powershell.exe, bash, or other shells spawned by the OpenBullet2 process (or its parent process).
Why prioritize this
A CVSS 8.8 (HIGH) score reflecting high confidentiality, integrity, and availability impact combined with low attack complexity and network accessibility. While authentication is required, the severity of command execution on the host system justifies immediate attention, especially for organizations where credential compromise is plausible or where OpenBullet2 handles sensitive operations. The straightforward exploitation path and lack of user interaction requirement make this a critical risk to patch.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the combination of attack vector (network), attack complexity (low), privilege requirements (low—any authenticated user), user interaction (not required), and scope (unchanged). The impact metrics are maximal: confidentiality high (full system information exposure), integrity high (arbitrary code execution), and availability high (denial of service). The primary limiting factor is the authentication requirement, which prevents unauthenticated remote attacks but does not meaningfully reduce risk in environments where credential theft or insider threats are realistic.
Frequently asked questions
Does this vulnerability require the attacker to have already compromised credentials?
Yes. The vulnerability requires valid authentication credentials to OpenBullet2. However, this is a significant limitation only if credential security is strong. In many environments, credentials are weak, shared, or stored insecurely, making this a realistic threat vector once initial access is achieved.
Can this vulnerability be exploited to gain root or administrator privileges?
The attacker gains command execution at the privilege level of the OpenBullet2 process. If OpenBullet2 runs as root or system, privilege escalation is automatic. If it runs as an unprivileged user, the attacker's reach is limited to that user's permissions. Assess your deployment's privilege configuration carefully.
Is there a workaround if we cannot patch immediately?
Disable or restrict access to the FileProxySource feature if possible. Implement strict network access controls limiting OpenBullet2 connectivity to trusted administrative networks only. Enforce multi-factor authentication and monitor file uploads closely. These measures reduce risk but do not eliminate it; patching is the only definitive remediation.
What should we do if we suspect this vulnerability was exploited?
Immediately isolate the affected system, revoke all OpenBullet2 credentials, audit logs for unauthorized script uploads and command execution, scan for persistence mechanisms or secondary malware, and contact your incident response team. Assume full host compromise until forensic investigation proves otherwise.
This analysis is based on information available as of the last update and may not reflect the complete current threat landscape or all vendor responses. Users should verify patch availability and compatibility with their specific OpenBullet2 deployment directly with official vendor channels. This content is for informational purposes only and should not substitute for comprehensive security assessments, incident response planning, or consultation with qualified cybersecurity professionals. Organizations must conduct their own risk assessment based on their specific infrastructure, threat model, and business context. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability