What is the CVSS score of CVE-2025-56425?

CVE-2025-56425 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.3%.

Which versions of Enaio are affected by CVE-2025-56425?

Organizations using the AppConnector component face critical risk from CVE-2025-56425, a command injection vulnerability rated CVSS 9.1.

Is there a public PoC exploit available for CVE-2025-56425?

Yes, a public proof-of-concept exploit is available for CVE-2025-56425. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-56425?

Within 24 hours: Identify all affected systems running the AppConnector component and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Enaio CVE-2025-56425

CRITICAL

Command Injection (CWE-77)

2026-01-08 cve@mitre.org

Command Injection Enaio

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 23, 2026 - 02:15 vuln.today

Public exploit code

CVE Published

Jan 08, 2026 - 17:15 nvd

CRITICAL 9.1

DescriptionCVE.org

An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint

AnalysisAI

enaio document management AppConnector (multiple versions) has SMTP command injection via the /osrest/api/organization/s endpoint. Authenticated attackers can inject arbitrary SMTP commands, potentially sending spam or phishing emails through the organization's mail server. PoC available.

Technical ContextAI

The endpoint concatenates user input into SMTP commands (CWE-77) sent to the configured mail server. An authenticated attacker can inject SMTP verbs and addresses to send emails as any organizational address.

RemediationAI

Update the AppConnector component. Implement SMTP command sanitization. Monitor outgoing email for anomalous patterns.

CVE-2025-56425 vulnerability details – vuln.today

Back

Enaio CVE-2025-56425

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code