CVE-2025-3002

CVE-2025-3002 is a critical OS command injection vulnerability affecting Digital China DCME-520 versions up to 20250320. The issue occurs in the processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php, where manipulation of the type_name argument enables injection of operating system commands. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-31.

Remote unauthenticated attackers can exploit this vulnerability with low complexity by sending crafted requests that manipulate the type_name parameter, leading to arbitrary OS command execution on the target system. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, though the nature of command injection could enable further compromise depending on the attacker's follow-on actions. The exploit has been publicly disclosed and may be used, with other parameters potentially affected as well.

Advisories referenced in VulDB (ctiid.302051, id.302051, submit.524225) and GitHub repositories (Fizz-L/CVE1) provide details on the vulnerability and include a proof-of-concept for remote command execution, but no specific patches or vendor mitigations are detailed in the available information.