CVE-2025-20061

Published Jan 29, 2025

Last updated 2 months ago

mySCADA

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-20061 is an operating system command injection vulnerability affecting mySCADA myPRO products, specifically myPRO Manager and myPRO Runtime. The vulnerability stems from the improper neutralization of special elements within POST requests sent to a specific port when email information is included. Successful exploitation of CVE-2025-20061 could allow a remote attacker to execute arbitrary commands on the affected system. This is possible due to the failure to properly sanitize user inputs, which opens the door to command injection. The vulnerability can be mitigated by updating to mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1.

Description: mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.
Source: ics-cert@hq.dhs.gov
NVD status: Received

Risk scores

CVSS 4.0

Type: Secondary
Base score: 9.3
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: CRITICAL

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

ics-cert@hq.dhs.gov: CWE-78

Hype score: Not currently trending