CVE-2025-50121
BaseFortify
Publication date: 2025-07-11
Last updated on: 2025-11-03
Assigner: Schneider Electric SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection (CWE-78) that allows unauthenticated remote code execution by creating a malicious folder via the web interface over HTTP when it is enabled. HTTP is disabled by default, but if enabled, an attacker can exploit this to execute arbitrary commands on the system.
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including unauthorized remote code execution, allowing attackers to take control of the affected system without authentication. This can result in data breaches, system compromise, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Disable the HTTP web interface if it is enabled, as the vulnerability requires the HTTP interface to be enabled to be exploited. Since HTTP is disabled by default, ensure it remains disabled or restrict access to it to prevent unauthenticated remote code execution.