CVE-2025-1947
Published: 04 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-1947 is a critical command injection vulnerability affecting the hzmanyun Education and Training System version 2.1.3. The flaw exists in the scorm function of the UploadImageController.java file, where manipulation of the param argument enables command injection. Published on 2025-03-04, it is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands on the affected system.
Advisories and additional details, including potential mitigation steps, are documented in the following references: https://github.com/heiheixz/report/blob/main/nxb_2.md, https://vuldb.com/?ctiid.298521, https://vuldb.com/?id.298521, and https://vuldb.com/?submit.506659.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability in a public-facing web application (UploadImageController) directly enables exploitation of public-facing apps (T1190) and arbitrary command execution via command/scripting interpreters (T1059).