CVE-2025-63690
Published: 07 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-63690 is a remote code execution vulnerability (CWE-470: Unsafe Reflection) in pig-mesh Pig versions 3.8.2 and below. The flaw occurs in the Quartz management function within the system management module during scheduled task setup, allowing execution of any Java class with a parameterless constructor and methods accepting a String parameter via reflection. Attackers can leverage the eval method in Tomcat's built-in jakarta.el.ELProcessor class to execute arbitrary commands.
Exploitation is feasible by a network-accessible attacker with high privileges (PR:H), such as those permitting scheduled task configuration. The attack requires low complexity (AC:L), no user interaction (UI:N), and results in a scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.1.
Advisories and further details, including potential patches or workarounds, are documented in the referenced GitHub repositories: https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md and https://github.com/pig-mesh/pig/issues/1199.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote code execution through abuse of the Quartz scheduled task management interface in the system management module, allowing invocation of arbitrary Java classes and methods via reflection (e.g., jakarta.el.ELProcessor.eval for command execution), directly facilitating exploitation of a public-facing application.