[CVE-2025-46661] IPW Systems Metazo - Remote Code Execution via unauthenticated SSTI
IPW Systems Metazo had an unauthenticated SSTI that was leading to RCE in it. An unprotected route would happily just evaluate smarty template language leading to unauthenticated RCE directly.
[CVE-2023-22855] Kardex MLOG - Insecure path join to RCE via SSTI
Kardex MLOG has an insecure path join, which allows to include files locally or from a remote smb server. In combination with the template rendering of .t4 files a SSTI is possible and allows for RCE. This blog post will describe how I found this vulnerability and how to leverage it to gain a reverse shell.