Cyber Posture

CVE-2025-63916

HighPublic PoC

Published: 17 November 2025

Published
17 November 2025
Modified
16 January 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0045 63.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the…

more

user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of user-supplied file paths in the CMD() function before concatenation into shell commands executed via cmd.exe, preventing the OS command injection vulnerability.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of the specific command injection flaw in MyScreenTools v2.2.1.0, eliminating the vulnerability upon remediation.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for the user context running MyScreenTools, limiting the impact and scope of arbitrary system commands executed through the injected file paths.

Security SummaryAI

CVE-2025-63916, published on 2025-11-17, is a critical OS command injection vulnerability (CWE-78) in MyScreenTools v2.2.1.0. The flaw affects the GIF compression tool, where the CMD() function in GIFSicleTool\Form_gif_sicle_tool.cs fails to sanitize user-supplied file paths before concatenating them into shell commands executed via cmd.exe. This allows attackers to inject and execute arbitrary system commands with the privileges of the user running the application.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). Low-privileged attackers can exploit it remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables execution of arbitrary commands under the context of the application's user privileges, resulting in high impacts to confidentiality and integrity.

GitHub references provide details on the issue, including a vulnerability research write-up at https://github.com/cydtseng/Vulnerability-Research/blob/main/myscreentools/OSCommandInjection-GifCompression.md, the vulnerable source code in https://github.com/luotengyuan/MyScreenTools/blob/master/GIFSicleTool/Form_gif_sicle_tool.cs, and the MyScreenTools repository at https://github.com/luotengyuan/MyScreenTools/tree/master. No patches or specific mitigations are detailed in these references.

Details

CWE(s)
CWE-78

Affected Products

luotengyuan
myscreentools
≤ 2.2.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
attack.mitre.org →
Why these techniques?

The OS command injection vulnerability directly enables exploitation for client execution (T1203) via a desktop application flaw and facilitates arbitrary command execution using Windows Command Shell (T1059.003) through unsanitized cmd.exe invocation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References