Description
This module exploits an arbitrary file read vulnerability in osTicket (CVE-2026-22200). The vulnerability exists in osTicket's PDF export functionality which uses mPDF. By injecting a specially crafted HTML payload containing PHP filter chain URIs into a ticket reply, an attacker can read arbitrary files from the server when the ticket is exported to PDF.
The PHP filter chain constructs a BMP image header that is prepended to the target file contents. When mPDF renders the ticket as a PDF, it processes the php://filter URI, reads the target file, and embeds it as a bitmap image in the resulting PDF. The module then extracts the file contents from the PDF.
Authentication is required. The module supports both staff panel (/scp/) and client portal login. An existing ticket number is also required.
Default files extracted are /etc/passwd and include/ost-config.php. The osTicket config file contains database credentials and the SECRET_SALT value.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/gather/osticket_arbitrary_file_readmsf undefined(osticket_arbitrary_file_read) > show actions ...actions...msf undefined(osticket_arbitrary_file_read) > set ACTION < action-name >msf undefined(osticket_arbitrary_file_read) > show options ...show and set options...msf undefined(osticket_arbitrary_file_read) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub