SECURITY ADVISORY
- PUBLISHING DATE:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSION:
- September 25, 2025
- Security Patch Release
- MEDIUM
- OTOBO 10.0
Security Fix
- [Security | high] Fix for potential privilege escalation via
backup.pl
We have closed a potential security vulnerability which – only on systems configured to allowbackup.plto be executed with root permissions by any user (e.g. through modifications in the sudoers file) – enabled command injection. This could allow standard users on the OTOBO server to execute arbitrary commands with root privileges.
Standard installations are not affected.
Thanks to Diego Berger Tellaroli for reporting this issue! [#4619]
Changes
- [Change] Docker: Upgraded Perl base image to 5.38-bookworm [#4619]
Bugfixes
Next steps
Update to OTOBO 10.0.26
We recommend that you fix the vulnerability and benefit from the latest improvements. Please update your system.
🔔 Reminder: End of Support for OTOBO 10.0
We’d like to remind you that support for OTOBO 10.0 will end at the end of this year.
To ensure you continue working securely and efficiently, we recommend upgrading to the latest version. Our team will be happy to support you – from planning to implementation.
As always, feel free to reach out with any questions.
Company
OTOBO | Simplify work and create exceptional service experiences.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
