CVE-2025-27925
Published: 10 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-27925 is an insecure deserialization vulnerability (CWE-502) in Nintex Automation versions 5.6 and 5.7 before 5.8. The issue stems from unsafe deserialization of user input, which can lead to arbitrary code execution. Published on 2025-03-10, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A low-privileged user (PR:L) with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation changes scope (S:C) and enables high-impact outcomes, including unauthorized access to sensitive data, modification of system resources, and disruption of services, potentially resulting in complete compromise of the affected Nintex Automation instance.
The vendor advisory in the Nintex release notes at https://help.nintex.com/en-US/platform/ReleaseNotes/K2Five.htm addresses mitigation, with the vulnerability fixed in Nintex Automation 5.8 and later versions. Security practitioners should prioritize upgrading affected deployments to patch this flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Insecure deserialization (CWE-502) in a network-accessible application allows low-privileged authenticated users to achieve arbitrary code execution, directly enabling privilege escalation via exploitation (T1068) and command/script interpreter execution (T1059).