Skip to main content

CVE-2025-7451

| EUVDEUVD-2025-21302 CRITICAL
OS Command Injection (CWE-78)
2025-07-14 twcert@cert.org.tw
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:51 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
732,137
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21302
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
CVE Published
Jul 14, 2025 - 03:15 nvd
CRITICAL 9.8

DescriptionCVE.org

The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This vulnerability has already been exploited. Please update immediately.

AnalysisAI

CVE-2025-7451 is a critical OS Command Injection vulnerability in iSherlock (developed by Hgiga) that allows unauthenticated remote attackers to execute arbitrary operating system commands on vulnerable servers with no authentication required. The vulnerability has active in-the-wild exploitation, carries a maximum CVSS score of 9.8, and poses immediate risk to all exposed instances. Organizations running iSherlock must apply patches immediately.

Technical ContextAI

This vulnerability exploits improper input validation in iSherlock's command processing functionality, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The root cause stems from insufficient sanitization of user-supplied input before passing it to OS command execution functions. iSherlock, developed by Hgiga, appears to be a security or monitoring application that processes user commands; the lack of proper escaping or parameterized execution allows attackers to inject shell metacharacters and arbitrary commands. This is a classic OS command injection flaw where user input is directly concatenated into system calls without proper validation, filtering, or use of safe APIs that would prevent command interpretation.

RemediationAI

  1. Immediate Actions: Isolate or remove iSherlock from network exposure until patched; block external access via firewall rules; implement network-level IDS/IPS signatures for CVE-2025-7451 exploitation attempts. 2. Patch Availability: Contact Hgiga directly for patch availability and version-specific updates (specific patch versions not provided in available references; vendor advisory must be obtained from Hgiga's official security channel). 3. Workarounds: If patching is delayed, implement strict input validation/WAF rules to block OS command metacharacters (|, &, ;, $, `, >, <, \n, etc.) in all user inputs; run iSherlock with minimal OS privileges; use OS-level command execution restrictions (e.g., seccomp, AppArmor, SELinux) to limit damage. 4. Detection: Hunt for exploitation indicators in logs—unusual command execution patterns, unexpected process spawning, or HTTP/API requests containing shell metacharacters.

Share

CVE-2025-7451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy