Cyber Posture

CVE-2025-65480

High

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates CWE-78 improper neutralization by requiring validation and sanitization of user inputs to Report Templates, preventing malicious script injection leading to RCE.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in Pacom Unison Client 5.13.1 by requiring timely installation of vendor-provided patches from advisories, eliminating the vulnerability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict low-privilege authenticated users from accessing or modifying Report Templates, reducing the opportunity for script injection.

Security SummaryAI

CVE-2025-65480 is a remote code execution vulnerability in Pacom Unison Client version 5.13.1. Authenticated users can inject malicious scripts into Report Templates, which are executed when certain script conditions are fulfilled. The issue stems from improper neutralization of special elements, mapped to CWE-78 (Improper Neutralization of Special Elements used in an OS Command), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables remote code execution with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full system compromise within the context of the affected client.

Mitigation details and further information are available in advisories from the vendor at http://pacom.com and in the vulnerability research repository at https://github.com/derekyjj/vulnerability-research/tree/main/CVE-2025-65480, published on 2026-02-11.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

OS Command Injection (CWE-78) in a network-accessible client application enables remote code execution via command/script interpreter abuse (T1059) and exploitation of client software vulnerability (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References