Skip to main content

CVE-2025-62193

CRITICAL
OS Command Injection (CWE-78)
2026-01-15 9119a7d8-5eab-497f-8521-727c672e3725
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 15, 2026 - 17:16 nvd
CRITICAL 9.8

DescriptionCVE.org

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

AnalysisAI

NOAA PMEL Live Access Server (LAS) has unauthenticated RCE through PyFerret SPAWN commands embedded in requests. Scientific data servers running LAS are vulnerable to complete compromise.

Technical ContextAI

The server processes PyFerret expressions from user requests without filtering the SPAWN command (CWE-78), which executes arbitrary OS commands. Fixed in a specific version of RequestInputFilter.java from 2025-09-24.

Affected ProductsAI

NOAA PMEL Live Access Server (before 2025-09-24 fix)

RemediationAI

Apply the RequestInputFilter.java fix. Restrict LAS access to trusted networks.

Share

CVE-2025-62193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy