CVE-2025-1546
Published: 21 February 2025
Description
A vulnerability has been found in BDCOM Behavior Management and Auditing System up to 20250210 and classified as critical. Affected by this vulnerability is the function log_operate_clear of the file /webui/modules/log/operate.mds. The manipulation of the argument start_code leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1546 is a critical OS command injection vulnerability affecting the BDCOM Behavior Management and Auditing System versions up to 20250210. The issue resides in the log_operate_clear function within the file /webui/modules/log/operate.mds, where manipulation of the start_code argument enables attackers to inject arbitrary operating system commands. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows injection and execution of OS commands, potentially resulting in limited impacts to confidentiality, integrity, and availability, such as data exfiltration, modification of system files, or denial of service on the targeted system. A proof-of-concept exploit has been publicly disclosed and may be actively used.
Advisories from VulDB and a related GitHub repository document the vulnerability but note that the vendor was contacted early without any response or patch release. Security practitioners should isolate affected systems, monitor for suspicious log_operate_clear requests, and apply network controls to block unauthorized access to the /webui/modules/log/operate.mds endpoint until a vendor fix is available.
Details
- CWE(s)