CVE-2025-14700

CRITICAL LAB

Crafty Controller - Authenticated Remote Code Execution via Webhook Template Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-14700. PoCs published by adminlove520, Nosiume, secdongle.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-14700, targeting Crafty Controller. It leverages a template injection vulnerability in the webhook functionality to achieve remote code execution (RCE) by creating a malicious webhook payload that triggers a reverse shell.

Description

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Exploits (3)

github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-14700

This is a functional exploit for CVE-2025-14700, targeting Crafty Controller. It leverages a template injection vulnerability in the webhook functionality to achieve remote code execution (RCE) by creating a malicious webhook payload that triggers a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Crafty Controller (versions <= 4.6.1)
Auth required
Prerequisites: Valid credentials for Crafty Controller · Network access to the target · Ability to create a server and webhook
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Nosiume · poc
https://github.com/Nosiume/CVE-2025-14700-poc

This PoC exploits a template injection vulnerability in Crafty Controller to achieve remote code execution via a malicious webhook payload. It authenticates, creates a server, and triggers a reverse shell through a crafted Discord webhook.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Crafty Controller (versions <= 4.6.1)
Auth required
Prerequisites: Valid credentials for Crafty Controller · Network access to the target · Listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by secdongle · poc
https://github.com/secdongle/POC_CVE-2025-14700

This is a functional PoC for CVE-2025-14700, exploiting a Server-Side Template Injection (SSTI) vulnerability in Crafty Controller <= 4.6.1 to achieve Remote Code Execution (RCE) via Jinja2 template injection in Webhook configurations. The exploit automates authentication, session handling, and payload delivery for a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Crafty Controller <= 4.6.1
Auth required
Prerequisites: Authenticated access to Crafty Controller · Network access to target · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Broken Link issue-tracking permissions-required
https://gitlab.com/crafty-controller/crafty-4/-/issues/646

Scores

CVSS v3 9.9
EPSS 0.0072
EPSS Percentile 49.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull registry.gitlab.com/crafty-controller/crafty-4:4.6.1

Details

CWE
CWE-1336
Status published
Products (1)
craftycontrol/crafty_controller 4.6.1
Published Dec 17, 2025
Tracked Since Feb 18, 2026