Cyber Posture

CVE-2025-25373

CriticalPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
30 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 60.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-25373 is a critical vulnerability in the Memory Management Module of NASA's Core Flight System (cFS) Aquila, stemming from insecure permissions (CWE-732). Published on 2025-03-25, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution (RCE) on the affected platform.

The vulnerability can be exploited by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation enables arbitrary code execution on the cFS Aquila platform, resulting in high-impact compromise of confidentiality, integrity, and availability.

Advisories and further details are available at https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/.

Details

CWE(s)
CWE-732

Affected Products

nasa
core flight system
6.7.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remote unauthenticated RCE vulnerability in a network-accessible Memory Management Module, directly enabling exploitation of public-facing applications for arbitrary code execution and initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References