H3-2025-0066¶

osTicket PHP Filter Chain Injection Vulnerability

Description¶

osTicket incorrectly sanitizes PHP filter chain expressions in rich text ticket description fields. This can be exploited to read arbitrary files from the osTicket server when a ticket is exported to PDF.

Impact¶

The default configuration of osTicket permits anonymous users the ability to open and view tickets anonymously, and self-register accounts. This means anyone with network access to osTicket can exploit this vulnerability to read arbitrary files, including sensitive configuration, from the osTicket server. Against Linux installations of osTicket, it is possible to exploit this vulnerability in conjunction with CVE-2024-2961 (CNEXT) to upload a web shell, leading to remote command execution on the osTicket server. Against Windows installations of osTicket, attackers may be able to leak the NTLMv2 hash of the service account running osTicket, or read files from other Windows hosts over SMB.

References¶

• osTicket 1.18.3 / 1.17.7 Announcement
• osTicket 1.18.3 / 1.17.7 Release Notes
• osTicket Admin Panel: User Settings
• osTicket Admin Panel: System Settings
• NVD: CVE-2026-22200
• NVD: CVE-2024-2961 (CNEXT)