CVE-2025-60785: Remote Code Execution Via JDBC Injection On IceScrum

CVE Information

CVE ID: CVE-2025-60785

Severity: High

CVSS v3.1: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Vendor: IceScrum

Affected Product: IceScrum

Vulnerability Type: Remote Code Execution

Vulnerability Details

The testDbConnection HTTP endpoint accepts a user-supplied JDBC connection string. When used with a vulnerable PostgreSQL JDBC driver present in the application, specially crafted JDBC connection strings can trigger remote code execution on the server. The endpoint lacks proper CSRF protections, allowing an unauthenticated attacker to coerce an authenticated user (or an administrative browser context) into submitting the malicious JDBC string with a single click — resulting in server-side remote code execution with the privileges of the running process.

Proof of Concept

The exploit POC can can be found at : POC.py

Affected Versions

This vulnerability affects IceScrum versions ≤ 7.5.4 . Organizations using affected versions should immediately apply security patches.

References

CVE.ORG

This research was conducted by the ZDaylabs security team as part of our ongoing commitment to improving application security.

← Back to Research