CVE-2025-6225
Shell Command Injection in Kieback&Peter SM70 PHWEB Login
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kieback_peter | neutrino_glt | to 9.40.02 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6225 is a vulnerability in the Kieback&Peter Neutrino-GLT building management software, specifically in its web component called "SM70 PHWEB." The vulnerability allows an attacker to perform shell command injection via the login form, meaning they can inject and execute operating system commands on the server. These commands run with low system privileges. The issue affects versions prior to 9.40.02 and has been fixed in that version. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary shell commands on the affected system with low privileges. This could lead to unauthorized actions such as information disclosure, system manipulation, or further exploitation depending on the commands executed. Although the commands run with low privileges, it still poses a security risk to the integrity and availability of the building management system. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Kieback&Peter Neutrino-GLT software to version 9.40.02 or later, where the vulnerability has been fixed. [1]