CVE-2019-25729: PDF Signer 3.0 Server-Side Template Injection RCE via CSRF Cookie
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shell_exec() to execute system commands and retrieve sensitive information from the server.
Security readout for executives and security teams
Plain-English summary
PDF Signer 3.0 is reported to let an unauthenticated internet attacker run code on the server through unsafe handling of a cookie value. A successful attack could expose documents, credentials, and the host system. Public exploit material is referenced, but the provided sources do not show confirmed active exploitation or a vendor patch.
Executive priority
Treat this as urgent if PDF Signer 3.0 is in use, because the reported impact is full unauthenticated remote code execution. If no deployment exists, document non-exposure and monitor vendor or advisory updates.
Technical view
The CVE describes server-side template injection in PDF Signer 3.0 through the CSRF-TOKEN cookie, leading to arbitrary code execution without authentication. CVSS is 9.8 critical with network attack vector and high confidentiality, integrity, and availability impact. The source bundle lists CWE-352, though the described weakness is template injection behavior.
Likely exposure
Exposure is likely limited to organizations running simcy_creative PDF Signer version 3.0, especially if reachable from the internet. The provided sources do not identify other affected versions, hosted variants, or downstream products.
Exploitation context
ExploitDB is listed as a public exploit reference, so defenders should assume exploit knowledge is available. The bundle does not cite CISA KEV listing or confirmed in-the-wild exploitation, so active exploitation is unproven from these sources.
Researcher notes
Evidence supports critical impact and public exploit availability, but patch status and exploitation-in-the-wild evidence are incomplete in the provided bundle. The CWE mapping may be imprecise relative to the described server-side template injection path.
Mitigation direction
Identify and prioritize all PDF Signer 3.0 deployments.
Check vendor and VulnCheck guidance for patched versions or official remediation.
Restrict internet access to affected instances until remediation is confirmed.
Retire or isolate unsupported PDF Signer 3.0 systems.
Review logs for suspicious CSRF-TOKEN cookie values and unexpected server execution.
Validation and detection
Inventory web assets for PDF Signer 3.0 installations.
Confirm product version from application files, admin UI, or deployment records.
Review web logs for abnormal CSRF-TOKEN cookie values.
Check host telemetry for unexpected child processes from the web server.
Verify whether vendor guidance identifies a fixed release.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-352 · source CWE mapping
Cross-Site Request Forgery
Cross-Site Request Forgery represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.