Description

A command injection vulnerability in Automai BotManager exists due to missing or improper certificate validation. An attacker able to present a crafted certificate or intercept the connection can inject arbitrary system commands into the affected process, which are then executed with the privileges of the application.

Details

• Product: Automai BotManager
• Affected Versions: < 25.2.0
• Vulnerability Type: CWE-295: Improper Certificate Validation
• Risk Level: Critical - CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Authentication: Required
• Vendor URL:
• Vendor acknowledged vulnerability: Yes
• Vendor Status: Fixed
• CVE: CVE-2025-46070

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands, which may lead to unauthorized access, data manipulation or exfiltration, installation of malware, and potentially full compromise of the underlying system and connected infrastructure.

References

• National Vulnerability Database CVE-2025-46070

Timeline

• 2025-04: Vulnerability reported to the vendor.
• 2025-05: Vendor published a fix for the issue.
• 2026-01: Information about the vulnerability is published.

Credits

• Bastian Recktenwald (Bastian.Recktenwald@ZeroBreach.de)