CVE-2025-20014

Critical

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.

Security Summary

CVE-2025-20014 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting mySCADA myPRO. The issue stems from the software's failure to properly neutralize POST requests sent to a specific port containing version information, enabling OS command injection as classified under CWE-78. Published on 2025-01-29, this flaw allows attackers to execute arbitrary commands on the affected system.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants high-impact access to confidentiality, integrity, and availability, potentially resulting in full compromise of the targeted system.

The CISA ICS Advisory ICSA-25-023-01 provides details on mitigation; refer to https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01 for recommended patches and remediation steps.

Details

CWE(s): CWE-78

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01
ics-cert@hq.dhs.gov