CVE-2025-6775
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiaoyunjie | openvpn-cms-flask | to 1.2.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6775 is a critical command injection vulnerability in the openvpn-cms-flask application, specifically in the user creation endpoint's create_user function. Privileged users can exploit this flaw by supplying malicious input in the username parameter, which is unsafely concatenated into a shell command executed with shell=True. This allows execution of arbitrary system commands on the server, potentially leading to full system compromise. The vulnerability arises from lack of input sanitization and insecure command execution practices. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution by an authenticated privileged user, allowing them to run arbitrary system commands on the server hosting openvpn-cms-flask. This can compromise the confidentiality, integrity, and availability of the system, potentially resulting in full system takeover, data theft, service disruption, or further attacks within the network. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the command injection in the user creation endpoint with a crafted username payload. For example, an authenticated privileged user can send a POST request to the user creation API with a username containing shell commands, such as: {'username': ";touch /tmp/pwwn", 'nickname': 'exploit', 'summary': 'RCE test'}. If the file /tmp/pwwn is created on the server, it confirms the vulnerability. Detection involves monitoring for unusual commands or files created by such payloads. Since the vulnerable code executes shell commands with unsanitized input, commands like the following can be used in testing (assuming appropriate authentication): curl -X POST -d "username=';touch /tmp/pwwn'&nickname=exploit&summary=RCE test" https://<target>/api/v1/users. Additionally, monitoring logs for unexpected command executions or new files created by the OpenVPN CMS Flask service can help detect exploitation attempts. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the openvpn-cms-flask software to version 1.2.8, which contains the patch that fixes this vulnerability by properly sanitizing user input and securely executing shell commands. The patch replaces insecure command execution methods with safer alternatives and enforces stricter username validation. Until the upgrade can be applied, restrict access to the user creation endpoint to trusted administrators only, and monitor for suspicious activity. Applying authentication controls and input validation can reduce risk, but upgrading is the definitive fix. [3, 5]