OS Command Injection Vulnerability in hzmanyun Education and Training System by hzmanyun
CVE-2025-1676

5.3MEDIUM

Key Information:

Vendor: Hzmanyun
Status: Education And Training System
Vendor: CVE Published:; 25 February 2025

Badges

👾 Exploit Exists

What is CVE-2025-1676?

A significant OS command injection vulnerability exists in the hzmanyun Education and Training System 3.1.1, specifically within the pdf2swf function of the /pdf2swf file. This flaw allows attackers to manipulate file arguments, enabling unauthorized command execution on the server. The attack can be initiated remotely, posing a severe risk to users of the system. The exploit has been made public, which increases the urgency for users to apply mitigation strategies.

Affected Version(s)

Education and Training System 3.1.1

References

https://vuldb.com/?id.296731

vdb-entrytechnical-description

https://vuldb.com/?ctiid.296731

signaturepermissions-required

https://vuldb.com/?submit.500507

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Feb 25, 2025
Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 25, 2025

Credit

0xGeoffreyW (VulDB User)

Hzmanyun