Skip to main content

CVE-2025-6512

| EUVDEUVD-2025-18870 CRITICAL
Code Injection (CWE-94)
2025-06-23 0beee27a-7d8c-424f-8e46-ac453fa147e6
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:53 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.06
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18870
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 13:15 nvd
CRITICAL 10.0

DescriptionCVE.org

On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights.

AnalysisAI

CVE-2025-6512 is a critical privilege escalation vulnerability in BRAIN2 where unauthenticated attackers can inject malicious scripts into reports on non-admin client systems, which are then executed with administrator privileges on the BRAIN2 server. This represents a complete system compromise with CVSS 10.0 severity, affecting all users regardless of their local privilege level. No authentication is required to exploit this vulnerability, making it immediately exploitable in network environments.

Technical ContextAI

This vulnerability is rooted in CWE-94 (Improper Control of Generation of Code - Code Injection), where the BRAIN2 application fails to properly sanitize or validate script content embedded in report files before execution. The attack vector is network-based with no interaction required, indicating the vulnerability likely exists in a report processing or import mechanism accessible over the network. The vulnerability chain involves: (1) a non-admin user or external attacker crafting a malicious report file containing executable code, (2) integration of this script into the BRAIN2 reporting system, and (3) subsequent execution of the report on the BRAIN2 server under administrative context without proper validation. The root cause is insufficient input validation and improper privilege separation between report creation/modification contexts and report execution contexts.

RemediationAI

Immediate actions: (1) Restrict network access to BRAIN2 report processing services using network segmentation and firewall rules, allowing only trusted sources. (2) Disable report execution features if not critical to operations until patching is available. (3) Implement strict input validation and sanitization for all report file uploads, rejecting files with embedded scripts. (4) Apply the latest BRAIN2 security patches from the vendor (contact BRAIN2 vendor for CVE-2025-6512 specific patch availability and version numbers). (5) Review and restrict report creation permissions to trusted administrative users only. (6) Implement execution policies preventing script execution in report contexts, or execute reports in isolated/sandboxed environments with minimal privileges.

Share

CVE-2025-6512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy