CVE-2025-60852

MEDIUM

Instant Developer Foundation <25.0.9600 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-60852. PoCs published by adminlove520, valeriocassoni.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-60852, a CSV Injection vulnerability in Instant Developer Foundation. It includes a payload example and steps to reproduce the issue, demonstrating how malicious formulas can be executed in spreadsheet software.

Description

A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.

Exploits (2)

github WRITEUP 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-60852

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-60852, a CSV Injection vulnerability in Instant Developer Foundation. It includes a payload example and steps to reproduce the issue, demonstrating how malicious formulas can be executed in spreadsheet software.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Instant Developer Foundation < 25.0.9600

No auth needed

Prerequisites: User-controllable input field in a table exportable as CSV · Spreadsheet software with DDE enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by valeriocassoni · poc

https://github.com/valeriocassoni/CSV-Injection-in-Instant-Developer-Foundation-25.0-PoC

View Code ZIP pw:eip

This PoC demonstrates a CSV Injection vulnerability in Instant Developer Foundation (< 25.0.9600) where user-supplied input is not properly sanitized, allowing formula injection in exported CSV files. The payload `+CMD|' /C calc'!A0` triggers execution of `calc.exe` when opened in Excel with DDE enabled.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Instant Developer Foundation < 25.0.9600

No auth needed

Prerequisites: User-controllable input field in a table exportable as CSV · Excel with DDE launch enabled

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://instantdeveloper.com/lp/cloud-freelance/index.html

Various Sources

https://doc.instantdeveloper.com/eng/default.aspx?artid=a6c69034-d1ee-4057-b19d-40505151ec8e&lang=eng

Various Sources

https://github.com/valeriocassoni/CSV-Injection-in-Instant-Developer-Foundation-25.0-PoC

Scores

CVSS v3 6.5

EPSS 0.0034

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1236

Status published

Published Oct 23, 2025

Tracked Since Feb 18, 2026