Skip to main content

Trellix Network Security EUVDEUVD-2025-210348

| CVE-2025-7958 HIGH
Code Injection (CWE-94)
2026-06-26 trellix GHSA-9639-6pf9-jh9r
7.1
CVSS 4.0 · Vendor: trellix
Share

Severity by source

Vendor (trellix) PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Adjacent management-network access (AV:A) and existing full admin (PR:H) are required; once met it yields full code execution on the appliance, so C/I/A:H with no scope change.

3.1 AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (trellix).

CVSS VectorVendor: trellix

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 11:22 vuln.today

DescriptionCVE.org

A Code Injection vulnerability existed in Trellix Network Security CM and NX. A locally authenticated admin user can execute arbitrary code using the web interface and Alert artifact details.

AnalysisAI

Authenticated code injection (CWE-94) in Trellix Network Security appliances (NX, EX, FX, AX, and CMS/Central Management) lets a logged-in administrator run arbitrary commands by abusing how the web UI renders Alert artifact details. The flaw requires existing high-privilege admin access on an adjacent network rather than remote anonymous access, so it functions primarily as a privilege/trust-boundary escape rather than a mass-exploitable internet-facing bug. The CVSS 4.0 maturity flag (E:P) indicates proof-of-concept exploit material exists, but the issue is not listed in CISA KEV and shows no confirmed active exploitation.

Technical ContextAI

Trellix Network Security (the former FireEye Network Security line) comprises the NX inline/threat-prevention sensors, EX email security, FX file/content analysis, AX malware analysis, and the CMS/Central Management orchestration appliance, all administered through a shared web console (CPE: cpe:2.3:a:trellix:trellix_network_security_nx,_ex,_fx,_ax,_and_cms). The root cause is CWE-94 (Improper Control of Generation of Code / Code Injection): data within the Alert artifact detail view - fields populated from captured/analyzed network or file artifacts - is incorporated into a code or command context without sufficient neutralization, so attacker-influenced content in those artifact fields is interpreted as executable code by the appliance rather than as inert display data.

RemediationAI

Apply the fix described in Trellix Knowledge Base article 000015433 (https://support.trellix.com/s/article/000015433) - patch available per vendor advisory, though an exact fixed version is not specified in the provided data, so confirm the target build for each appliance type (NX/EX/FX/AX/CMS) directly from that advisory. Because exploitation requires an authenticated admin on an adjacent network, the highest-value compensating controls until patching are: restrict the appliance management/web-UI interface to a dedicated management VLAN or jump-host so it is not reachable from general user or production segments (trade-off: tightened admin workflows, possible need for VPN/bastion access); enforce least-privilege and reduce the number of full-admin accounts, since PR:H is the key prerequisite (trade-off: operational overhead delegating roles); and enable strong authentication (MFA, unique strong credentials, audit logging) on all admin accounts and monitor the Alert artifact-detail views and admin command activity for anomalies (trade-off: more alerting noise to triage). Do not disable Alert artifact inspection wholesale, as that would undermine the appliance's detection mission.

Share

EUVD-2025-210348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy