CVE-2025-65199
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| windscribe | windscribe | 2.18.3-alpha |
| windscribe | windscribe | 2.18.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the Windscribe Linux Desktop App. It allows a local user who belongs to the windscribe group to execute arbitrary commands with root privileges by exploiting the 'adapterName' parameter in the 'changeMTU' function.
How can this vulnerability impact me? :
An attacker with local access and membership in the windscribe group can exploit this vulnerability to run arbitrary commands as root, potentially leading to full system compromise, unauthorized data access, or disruption of system operations.
What immediate steps should I take to mitigate this vulnerability?
Update Windscribe for Linux Desktop App to version 2.18.3-alpha or 2.18.8 or later, as these versions contain the fix for the command injection vulnerability.