What is the CVSS score of EUVD-2025-19716?

EUVD-2025-19716 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. EPSS exploitation probability: 54.2%.

Is there a public PoC exploit available for EUVD-2025-19716?

Yes, a public proof-of-concept exploit is available for EUVD-2025-19716. Prioritise patching immediately. EPSS: 54.2%.

How to fix or mitigate EUVD-2025-19716?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

EUVD-2025-19716

| CVE-2025-34073 CRITICAL

OS Command Injection (CWE-78)

2025-07-02 disclosure@vulncheck.com

Command Injection

10.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 01:55 euvd

EUVD-2025-19716

Analysis Generated

Mar 16, 2026 - 01:55 vuln.today

CVE Published

Jul 02, 2025 - 14:15 nvd

CRITICAL 10.0

DescriptionCVE.org

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

AnalysisAI

Maltrail network traffic analysis tool versions through 0.54 contain an unauthenticated OS command injection via the username parameter in POST requests to the /login endpoint. The input is passed to subprocess.check_output() without sanitization, enabling remote code execution on the security monitoring server.

Technical ContextAI

The /login endpoint passes the username parameter to subprocess.check_output() for logging purposes without sanitization. An attacker can inject shell commands through the username field that execute on the Maltrail server. The tool typically runs with elevated privileges for network packet capture.

RemediationAI

Update Maltrail beyond 0.54. Use parameterized subprocess calls with shell=False. Restrict login endpoint access. Run Maltrail with minimal privileges separate from the capture interface.

EUVD-2025-19716 vulnerability details – vuln.today

Back

EUVD-2025-19716

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code