CVE-2025-65882

CriticalPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at critical entry points, directly preventing OS command injection in the create_xor_ipad_opad function by rejecting malicious inputs.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly addressing this CVE by applying the patch that fixes the command injection vulnerability in sysupgrade.c.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting the damage from successful command injection or arbitrary file writes by restricting the sysupgrade process permissions.

Security SummaryAI

CVE-2025-65882 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in openmptcprouter through version 0.64, affecting the file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in the function create_xor_ipad_opad. Classified under CWE-78 (OS Command Injection), it enables attackers to potentially write arbitrary files or execute arbitrary commands on the affected system. The issue was published on 2025-12-09.

The vulnerability is remotely exploitable over the network with low complexity, requiring no privileges, no user interaction, and no change in scope, leading to high impacts on confidentiality, integrity, and availability. Unauthenticated attackers can leverage it to achieve remote code execution or arbitrary file writes, potentially compromising the entire router device running openmptcprouter.

Mitigation is addressed in a patch commit at https://github.com/Ysurac/openmptcprouter/commit/09393d1c41a227bea7d5b85c0a06221b1302b25f. Additional details are available on the project site at http://openmptcprouter.com and a related gist at https://gist.github.com/AradCohen/939ee50d60c4d2bd555a364615a5ab9c; security practitioners should apply the patch or upgrade to a fixed version promptly.

Details

CWE(s): CWE-78

Affected Products

openmptcprouter

≤ 0.64

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-65882 is an unauthenticated remote OS command injection vulnerability in a public-facing router application (openmptcprouter), enabling remote code execution which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://openmptcprouter.com
Product · cve@mitre.org
https://gist.github.com/AradCohen/939ee50d60c4d2bd555a364615a5ab9c
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Ysurac/openmptcprouter/commit/09393d1c41a227bea7d5b85c0a06221b1302b25f
Patch · cve@mitre.org