CVE-2025-24861
Published: 13 February 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-24861, published on 2025-02-13, is a command injection vulnerability (CWE-77) that enables an attacker to inject commands via specially-crafted POST requests. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects. The vulnerability affects components referenced in CISA ICS advisory ICSA-25-044-17 and the Outback Power website.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows remote command injection, potentially leading to unauthorized disclosure of sensitive information on the affected system.
For mitigation details, refer to the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17 and Outback Power contact page at https://old.outbackpower.com/about-outback/contact/contact-us.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated command injection via POST in a public-facing application directly enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution leading to data disclosure.