CVE-2025-1265

Critical

Published: 20 February 2025

Published

20 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0043 62.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system.

Security Summary

CVE-2025-1265 is an OS command injection vulnerability (CWE-78) in the Vinci Protocol Analyzer, published on 2025-02-20. The flaw carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and requirements for only low privileges. It affects the Vinci Protocol Analyzer software, enabling attackers to escalate privileges and execute arbitrary code on the impacted system.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) without requiring user interaction (UI:N). Successful exploitation allows command injection, leading to privilege escalation and arbitrary code execution with high impacts on confidentiality, integrity, and availability (C/I/A:H), further amplified by a change in scope (S:C).

For mitigation details, refer to the CISA ICS Advisory ICSA-25-051-06 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06 and the vendor support page at https://elseta.com/support/.

Details

CWE(s): CWE-78

References

https://elseta.com/support/
ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06
ics-cert@hq.dhs.gov