CVE-2025-20061

Critical

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.

Security Summary

CVE-2025-20061 is a critical vulnerability in mySCADA myPRO, published on 2025-01-29, where the software fails to properly neutralize POST requests sent to a specific port containing email information. Classified as CWE-78 (OS Command Injection), it enables arbitrary command execution on the affected system and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no authentication privileges, and no user interaction. Successful exploitation allows the attacker to execute arbitrary commands, resulting in high impacts to confidentiality, integrity, and availability of the affected system.

Mitigation details are available in the CISA ICS Advisory ICSA-25-023-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01.

Details

CWE(s): CWE-78

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01
ics-cert@hq.dhs.gov