Cyber Posture

CVE-2025-14700

Critical

Published: 17 December 2025

Published
17 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0011 29.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly addresses the input neutralization failure by requiring validation of inputs to the Webhook Template component, preventing SSTI and subsequent RCE.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, and correction of flaws like CVE-2025-14700, enabling patching of the SSTI vulnerability in Crafty Controller.

SI-9 Information Input Restrictions partial match
prevent

SI-9 restricts the types and amounts of information inputs to the Webhook Template component, mitigating SSTI by blocking malicious template payloads.

Security SummaryAI

CVE-2025-14700 is an input neutralization vulnerability (CWE-1336) affecting the Webhook Template component in Crafty Controller. This flaw enables server-side template injection (SSTI), allowing a remote, authenticated attacker to achieve remote code execution. The vulnerability was published on 2025-12-17 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its high impact and network accessibility.

An attacker requires only low privileges (PR:L) as an authenticated user to exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation grants full remote code execution on the server, compromising confidentiality, integrity, and availability with a scope change (S:C), potentially leading to complete system takeover.

The vulnerability is tracked in Crafty Controller's GitLab repository at https://gitlab.com/crafty-controller/crafty-4/-/issues/646, which serves as the primary advisory reference.

Details

CWE(s)
CWE-1336

Affected Products

craftycontrol
crafty controller
4.6.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

SSTI vulnerability in public-facing Webhook Template component enables remote code execution, directly facilitating T1221 (Template Injection) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References