CVE-2025-46157

CRITICAL

EfroTech Time Trax 1.0 - Remote Code Execution via Leave Request File Attachment

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46157. PoCs published by morphine009.

AI-analyzed exploit summary This repository provides a detailed writeup for CVE-2025-46157, describing a remote code execution (RCE) vulnerability in Timetrax V1 (2025) via insecure file upload validation, followed by privilege escalation using the EfsPotato technique.

Description

An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form

Exploits (1)

nomisec WRITEUP 1 stars

by morphine009 · poc

https://github.com/morphine009/CVE-2025-46157

View Code ZIP pw:eip

This repository provides a detailed writeup for CVE-2025-46157, describing a remote code execution (RCE) vulnerability in Timetrax V1 (2025) via insecure file upload validation, followed by privilege escalation using the EfsPotato technique.

Classification

Writeup 90%

Attack Type

Rce | Lpe

Complexity

Moderate

Reliability

Reliable

Target: Timetrax V1 (2025)

Auth required

Prerequisites: Valid user credentials for Timetrax · Access to the Leave Request form in the Attendance module · Ability to intercept and modify HTTP requests

MITRE ATT&CK

T1205 - Traffic Signaling T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product

http://efrotech.com

Broken Link

http://timetrax.com

Exploit, Third Party Advisory

https://github.com/morphine009/CVE-2025-46157

Scores

CVSS v3 9.9

EPSS 0.0090

EPSS Percentile 54.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

efrotech/timetrax 1.0

Published Jun 18, 2025

Tracked Since Feb 18, 2026