CVE-2025-1946
Published: 04 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-1946 is a command injection vulnerability in the hzmanyun Education and Training System version 2.1. The issue resides in the exportPDF function of the /user/exportPDF file, where manipulation of the 'id' argument enables command injection. Rated with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and associated with CWEs-74 and CWE-77, it was published on 2025-03-04.
The vulnerability allows remote exploitation by an authenticated attacker with low privileges, requiring low attack complexity and no user interaction. Successful exploitation enables command injection, resulting in limited impacts to confidentiality, integrity, and availability.
Advisories and further details are documented in references such as the GitHub report at https://github.com/heiheixz/report/blob/main/nxb_1.md and VulDB entries at https://vuldb.com/?ctiid.298520, https://vuldb.com/?id.298520, and https://vuldb.com/?submit.506657. The exploit has been publicly disclosed.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in a web app endpoint directly enables exploitation of public-facing applications (T1190) and arbitrary command execution via interpreters (T1059).