Skip to main content

CVE-2025-29902

| EUVD-2025-18259 CRITICAL
Code Injection (CWE-94)
2025-06-13 psirt@bosch.com
RCE Remote Code Execution
10.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:54 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
6.6.0,1.3.0
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18259
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 10:15 nvd
CRITICAL 10.0

DescriptionNVD

Remote code execution that allows unauthorized users to execute arbitrary code on the server machine.

AnalysisAI

Critical remote code execution vulnerability with a perfect CVSS 10.0 score that allows unauthenticated attackers to execute arbitrary code on affected servers over the network with no user interaction required. The vulnerability stems from improper handling of code evaluation (CWE-94: Improper Control of Generation of Code) and affects systems processing untrusted input. Given the maximum CVSS severity, network attack vector, and lack of authentication requirements, this vulnerability represents an immediate and severe threat to any exposed systems and should be treated as a critical priority for patching regardless of additional context.

Technical ContextAI

This vulnerability is rooted in CWE-94 (Improper Control of Generation of Code), which encompasses unsafe code evaluation, dynamic code execution, and deserialization vulnerabilities. The attack vector is network-based (AV:N) with low complexity (AC:L), indicating the flaw can be triggered through standard network protocols without requiring special conditions. The vulnerability affects the code generation or interpretation layer of affected software, likely through unsafe eval() functions, unsafe deserialization, template injection, or expression language injection mechanisms. Without specific CPE data provided, the vulnerability likely affects multiple versions of a widely-deployed application or library. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C indicates network accessibility, no privilege escalation requirement, no user interaction needed, and scope change indicating impact beyond the vulnerable component.

RemediationAI

Immediate remediation steps: (1) URGENT: Apply security patches from affected vendor(s) as soon as they become available—do not delay implementation; (2) If patches are unavailable, implement immediate compensating controls: disable or restrict network access to affected services using firewalls/WAF rules, implement network segmentation to limit exposure, disable dynamic code execution features if configurable; (3) Monitor systems for signs of exploitation (unusual process execution, network connections from unexpected sources, code generation activities); (4) Implement input validation and sanitization to reject suspicious payloads attempting code injection; (5) Deploy web application firewalls (WAF) with signatures for CWE-94 exploitation attempts; (6) Review and restrict code evaluation functionality—prefer safe alternatives like domain-specific languages or sandboxed execution; (7) Conduct incident response readiness review given RCE risk; (8) Prioritize this above all other patching activities. Check vendor security advisories at: [Vendor Security Bulletins - Specific URLs require vendor identification which is not provided in available data].

Share

CVE-2025-29902 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy