CVE-2025-61196
Published: 30 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-61196 is a code injection vulnerability (CWE-94) in BusinessNext CRMnext version 10.8.3.0. The flaw allows a remote attacker to execute arbitrary code by exploiting the comments input parameter. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.
A remote attacker with low privileges, such as an authenticated user, can exploit the vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation enables arbitrary code execution on the affected system, resulting in high impacts to confidentiality, integrity, and availability.
References for further details, including potential exploitation information, are provided in the GitHub repository at https://github.com/zsamamah/CVE-2025-61196/blob/main/CVE-2025-61196.md. No vendor-specific patches or mitigation guidance are detailed in the available information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a code injection flaw in a public-facing CRM web application (BusinessNext CRMnext), enabling remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.