CVE-2025-25067
Published: 13 February 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-25067 is an OS command injection vulnerability (CWE-78) in mySCADA myPRO Manager. This flaw allows a remote attacker to execute arbitrary OS commands on affected systems. The vulnerability was published on 2025-02-13T22:15:12.780 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Any remote attacker can exploit this vulnerability without authentication by sending malicious input to the affected component in mySCADA myPRO Manager. Successful exploitation enables arbitrary OS command execution, granting high-impact control over confidentiality, integrity, and availability of the targeted system.
Mitigation guidance is available in the CISA ICS advisory ICSA-25-044-16 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16. Vendor resources, including contacts and downloads potentially containing patches, are provided at https://www.myscada.org/contacts/ and https://www.myscada.org/downloads/mySCADAPROManager/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote OS command injection in public-facing app directly enables T1190 for initial access via exploitation and T1059 for arbitrary command execution.