CVE-2025-69269

Critical

Published: 12 January 2026

Published

12 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mitigates OS command injection (CWE-78) by requiring validation and neutralization of special elements in inputs before they are used in OS commands.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of known flaws, directly addressing CVE-2025-69269 through patching as specified in the Broadcom advisory.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

RA-5 ensures vulnerabilities like CVE-2025-69269 are identified via scanning and remediated based on risk, preventing exploitation.

Security SummaryAI

CVE-2025-69269 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting Broadcom DX NetOps Spectrum versions 23.3.6 and earlier on both Windows and Linux platforms. Published on 2026-01-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as a critical issue due to its potential for severe impact.

The vulnerability enables exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction. Attackers can remotely inject and execute arbitrary operating system commands on the affected system, potentially leading to complete compromise with high impacts on confidentiality, integrity, and availability.

Mitigation guidance and patch information are detailed in the Broadcom security advisory available at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756.

Details

CWE(s): CWE-78

Affected Products

broadcom

dx netops spectrum

≤ 23.3.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS Command Injection in a network-accessible service enables exploitation of public-facing applications (T1190) to execute arbitrary OS commands via command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
Vendor Advisory · vuln@ca.com