CVE-2025-12556
Published: 06 November 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-12556 is an argument injection vulnerability, classified under CWE-88, that exists in the affected product. It could allow an attacker to execute arbitrary code within the context of the host machine. The vulnerability was published on 2025-11-06T16:15:48.910 and carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.
An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables arbitrary code execution in the context of the host machine, potentially leading to high-level compromise of confidentiality, integrity, and availability within the unchanged scope (S:U).
Further details on mitigation are available in the CISA ICS Advisory ICSA-25-308-05 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-05.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Argument injection (CWE-88) enables remote low-privilege (PR:L) arbitrary code execution over network (AV:N), directly facilitating Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).