CVE-2025-0457

High

Published: 16 January 2025

Published

16 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0169 82.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

The airPASS from NetVision Information has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands.

Security Summary

CVE-2025-0457 is an OS Command Injection vulnerability (CWE-78) affecting the airPASS product from NetVision Information. Published on 2025-01-16, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impacts across confidentiality, integrity, and availability.

The vulnerability enables remote attackers possessing regular (low) privileges to inject and execute arbitrary OS commands over the network. Exploitation requires low complexity and no user interaction, with an unchanged scope, allowing attackers to achieve high-level compromise of the affected system.

Advisories from TWCERT/CC provide further details on this issue, including mitigation recommendations, accessible at https://www.twcert.org.tw/en/cp-139-8362-efb33-2.html and https://www.twcert.org.tw/tw/cp-132-8361-ff3fb-1.html.

Details

CWE(s): CWE-78

References

https://www.twcert.org.tw/en/cp-139-8362-efb33-2.html
twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8361-ff3fb-1.html
twcert@cert.org.tw