Executive Summary

A high-severity arbitrary file read vulnerability, CVE-2026-22200, has been discovered in the widely-used open-source helpdesk system, osTicket. The flaw allows an unauthenticated attacker to exfiltrate sensitive files from the underlying server. The attack is carried out by submitting a support ticket containing a malicious PHP filter chain payload. When an agent or administrator exports this ticket using the 'Export to PDF' function, the server processes the malicious payload, causing the contents of an arbitrary file (e.g., config.php) to be rendered as a bitmap image within the PDF. This allows the attacker to reconstruct the file's contents. The vulnerability is particularly dangerous as it can be chained with other flaws like CVE-2024-2961 (CNEXT) to achieve full Remote Code Execution (RCE). Patches have been released, and administrators are urged to upgrade immediately.

Vulnerability Details

• CVE ID: CVE-2026-22200
• Description: The vulnerability is a form of object injection that abuses the phar:// stream wrapper and PHP filter chains within the PDF generation library used by osTicket. An attacker can craft a ticket with a payload like phar://data:;base64,PD9waHAgZWNobyBwaHBpbmZvKCk7ID8+/....
• Attack Vector: An anonymous user submits a ticket with the malicious payload. This requires a second step where a privileged user (agent/admin) with access to the ticket export feature triggers the vulnerability by clicking 'Export to PDF'.
• Result: The content of the targeted file on the server is read and embedded into the PDF output, which can then be retrieved by the attacker if they can access the generated file or if it's sent to them.

Affected Systems

• osTicket: Versions prior to 1.18.3 and 1.17.4 are affected.

Exploitation Status

A proof-of-concept is publicly available. While active widespread exploitation has not been confirmed, the public disclosure and ease of exploitation make it a likely target for attackers. The potential to chain this with other vulnerabilities for RCE, as demonstrated by researchers with CNEXT, significantly increases the risk.

Impact Assessment

• Data Exfiltration: At a minimum, an attacker can read sensitive configuration files, which often contain database credentials, API keys, and other secrets. This information can be used to escalate the attack and compromise the entire application and its data.
• Remote Code Execution (RCE): When chained with a file write or deserialization vulnerability (like CNEXT), this file read capability can be used to achieve full RCE, allowing the attacker to take complete control of the server.
• Information Disclosure: Attackers could read any file readable by the web server user, including system files, application source code, and other sensitive documents stored on the server.

Detection Methods

1. Web Application Firewall (WAF): Deploy WAF rules to inspect POST requests to the ticket creation endpoint for suspicious strings like phar://, php://filter, and other PHP stream wrappers.
2. Log Analysis: Monitor web server access logs for ticket submission requests containing the aforementioned malicious strings. While often base64 encoded, the presence of the phar:// wrapper may be visible in logs.
3. File Integrity Monitoring (FIM): While this flaw is a file read, monitoring for unexpected file writes could detect follow-on RCE attempts if the vulnerability is chained.

Remediation Steps

1. Upgrade osTicket: The primary and most effective remediation is to upgrade to a patched version immediately. The fixes are included in osTicket 1.18.3 and 1.17.4. This is a direct application of MITRE ATT&CK Mitigation M1051 - Update Software.
2. Disable PDF Export (Temporary): If upgrading is not immediately possible, consider temporarily disabling the PDF export functionality or restricting access to it to a very limited set of trusted administrators while you plan the upgrade.
3. Harden PHP Configuration: Review and harden your PHP configuration to disable dangerous functions if they are not needed by your application, although this may not directly prevent this specific stream wrapper attack.