Tag: cwe-78

Critical OS Command Injection in MicroWorld eScan Antivirus (CVE-2025-0798)
Overview
A critical vulnerability has been identified in MicroWorld eScan Antivirus version 7.0.32 for Linux. Tracked as CVE-2025-0798, the flaw resides in the Quarantine Handler component, specifically involving the rtscanner file. This vulnerability has been classified as an OS Command Injection issue, allowing remote attackers to execute arbitrary commands on the system.
Technical Details
The vulnerability arises due to insufficient sanitization of inputs processed by the rtscanner file. When the system handles quarantined files, it improperly passes user-supplied input to operating system commands. This results in an OS Command Injection, categorized under CWE-78 and CWE-77, both referring to improper command execution from untrusted input.
While the attack requires no privileges and can be executed remotely, it has a high attack complexity due to the intricate nature of triggering the vulnerable code path. According to public disclosures, exploitation is challenging but possible. A proof-of-concept (PoC) has been made publicly available, increasing the urgency for mitigation.
Impact Assessment
The vulnerability has been scored across multiple CVSS versions:
- CVSS 4.0: 9.2 (CRITICAL) — CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVSS 3.1 & 3.0: 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS 2.0: 7.6 — AV:N/AC:H/Au:N/C:C/I:C/A:C
The vulnerability affects confidentiality, integrity, and availability at a high level. Given its remote exploitability and the potential to fully compromise a system, it poses a significant threat to organizations relying on MicroWorld eScan Antivirus for Linux.
Disclosure and Vendor Response
The vulnerability was discovered and reported by FPT IS Security and made public through VulDB on January 29, 2025. Despite early vendor notification, there has been no response or official mitigation guidance from MicroWorld as of the latest update.
Recommendations
- Limit exposure: Ensure that eScan services are not directly exposed to the internet or untrusted networks.
- Monitor systems: Watch for abnormal system behavior or unauthorized processes originating from eScan components.
- Mitigate via containment: If updates or patches are unavailable, consider isolating affected systems or switching to alternative security tools.
- Exploit awareness: Review the published PoC at GitHub to understand potential attack vectors and detection signatures.
Conclusion
CVE-2025-0798 highlights the criticality of robust input validation and the risks posed by command injection flaws in security software itself. Organizations using MicroWorld eScan Antivirus should prioritize investigation and risk mitigation measures immediately, particularly in Linux environments.
2025-05-20
CVE-2025-43562: Critical OS Command Injection in Adobe ColdFusion
Overview
On May 13, 2025, Adobe disclosed CVE-2025-43562, a critical vulnerability in its ColdFusion platform. This flaw is an OS Command Injection vulnerability categorized under CWE-78, which could allow a high-privileged attacker to execute arbitrary commands on the host operating system without user interaction. The scope of this issue is changed, meaning that the impact can extend beyond the original component.
Vulnerability Details
The vulnerability affects the following ColdFusion versions:
- ColdFusion 2025.1
- ColdFusion 2023.13
- ColdFusion 2021.19 and earlier
The core issue lies in the improper neutralization of special elements in user input that are used in operating system commands. An attacker with sufficient privileges can exploit this weakness to inject and execute arbitrary OS-level commands in the context of the current user, potentially leading to full system compromise.
Technical Analysis
This vulnerability is rated Critical with a CVSS v3.1 base score of 9.1. The vector string is:
```
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
```
Key characteristics include:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Confidentiality, Integrity, Availability Impact: High
This means that a remote attacker with high privileges can exploit the flaw over the network without user interaction, leading to complete control over affected systems and services.
Understanding CWE-78
CWE-78: OS Command Injection refers to scenarios where software constructs all or part of an OS command using untrusted input. Without proper sanitization, malicious input can be used to alter the command’s structure and logic, allowing arbitrary command execution. In the ColdFusion context, this could be triggered by poorly validated parameters reaching system-level functions.
Impact and Exploitation
Adobe’s security advisory notes that successful exploitation may result in full system takeover, data exfiltration, or service disruption. Since the vulnerability requires no user interaction and has a low attack complexity, it represents a serious threat in environments with exposed or internet-facing ColdFusion deployments.
Recommendations
To mitigate CVE-2025-43562, organizations should:
- Upgrade to the latest secure versions of ColdFusion as released by Adobe.
- Sanitize and validate all user inputs rigorously.
- Restrict OS command functionality within ColdFusion environments where possible.
- Limit access to administrative interfaces and monitor system activity closely.
Conclusion
CVE-2025-43562 underscores the risks posed by inadequate input neutralization and command handling. Given the critical nature and ease of exploitation, immediate patching and hardening of systems is strongly recommended to prevent exploitation and maintain security integrity.
2025-05-20
CVE-2025-43858: Critical Command Injection in YoutubeDLSharp on Windows
Overview
CVE-2025-43858 is a critical vulnerability discovered in YoutubeDLSharp, a .NET wrapper around the popular command-line video downloaders youtube-dl and yt-dlp. This issue affects versions from 1.0.0-beta4 to prior to 1.1.2 and allows for command injection on Windows systems under specific conditions.
Technical Details
The vulnerability is categorized under CWE-77 and CWE-78, which refer to improper neutralization of special elements in command inputs. Specifically, YoutubeDLSharp passes arguments to yt-dlp without proper sanitization when executed via the command prompt on Windows.
This behavior becomes critical due to the use of the UseWindowsEncodingWorkaround flag, which is set to true by default. Users invoking built-in methods from YoutubeDL.cs cannot override this setting, making them especially vulnerable. As a result, a malicious input could trigger unintended command execution, potentially compromising confidentiality, integrity, and availability on the target system.
CVSS Score and Severity
The vulnerability has been assigned a CVSS v3.1 base score of 9.2, classifying it as CRITICAL. The vector string is:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
```
This indicates that the attack can be carried out locally with low complexity, no privileges, and no user interaction, while resulting in high impact on confidentiality and integrity.
Affected Versions
- Product: YoutubeDLSharp
- Vendor: Bluegrams
- Versions Affected: >= 1.0.0-beta4 and < 1.1.2
Mitigation
The vulnerability has been addressed in version 1.1.2. All users of affected versions should:
- Upgrade to v1.1.2 immediately
- Review usage of built-in command execution methods in their implementations
- Avoid relying on defaults that obscure execution context or encoding behavior
References
Conclusion
CVE-2025-43858 highlights the risks of executing command-line utilities without stringent input validation. Developers embedding third-party tools like yt-dlp should ensure that all input is carefully sanitized to avoid introducing critical security flaws. Updating to the latest version is essential for maintaining a secure software environment.
2025-05-20