CVE-2025-0255
Published: 24 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-0255 is an OS command injection vulnerability (CWE-78) affecting HCL DevOps Deploy and HCL Launch. It enables a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise through network-accessible exploitation with low complexity.
A remote attacker with high privileges (such as an authenticated administrative user) can exploit this flaw without user interaction. Successful exploitation grants the attacker the ability to achieve high confidentiality, integrity, and availability impacts, including full arbitrary command execution on the underlying system.
HCL has published a support knowledge base article (KB0119060) detailing the issue, available at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119060, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection (CWE-78) in network-accessible HCL DevOps app directly enables exploitation of public-facing applications for initial access (T1190) and arbitrary command execution via interpreters (T1059).