CVE-2025-25940

CRITICAL
2025-03-10 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
PoC Detected
Jun 23, 2025 - 20:05 vuln.today
Public exploit code
CVE Published
Mar 10, 2025 - 16:15 nvd
CRITICAL 9.8

Tags

Java

Description

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.

Analysis

VisiCut 2.1 allows remote code execution through insecure XML deserialization in the loadPlfFile method. An attacker who can supply a crafted PLF file can execute arbitrary Java code on the victim's machine. A public PoC exploit exists and no patch is available.

Technical Context

The loadPlfFile method in VisicutModel.java processes PLF files (XML-based project files) using Java deserialization without restricting which classes can be instantiated (CWE-502). Gadget chains in common Java libraries can be leveraged for code execution.

Affected Products

VisiCut 2.1

Remediation

Avoid opening PLF files from untrusted sources. Run VisiCut in a sandboxed environment. Monitor the VisiCut project for security updates.

Priority Score

70
Low Medium High Critical
KEV: 0
EPSS: +1.3
CVSS: +49
POC: +20

Share

CVE-2025-25940 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy