CVE-2025-0328
Published: 09 January 2025
Summary
CVE-2025-0328 is a medium-severity Injection (CWE-74) vulnerability in Zhaoj (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A critical command injection vulnerability has been identified in the KaiYuanTong ECT Platform up to version 2.0.0. The flaw resides in the HTTP POST Request Handler component, specifically within the file /public/server/runCode.php, where unsanitized input to the "code" argument is passed to an underlying system command. This corresponds to CWE-74 and CWE-77 weaknesses and permits remote, unauthenticated attackers to inject and execute arbitrary operating-system commands.
An attacker can send a crafted HTTP POST request to the affected endpoint and achieve limited control over confidentiality, integrity, and availability on the target system. No user interaction or credentials are required, and the attack complexity is low. A public exploit has already been disclosed, enabling straightforward reproduction by threat actors with network access to the platform.
The vendor was notified prior to disclosure but did not respond or issue a patch. Public references, including detailed technical notes, confirm the issue is exploitable in default configurations. The associated EPSS score rose from a low baseline to a peak of 0.0214, indicating emerging exploitation interest after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1604
Vulnerability details
A vulnerability, which was classified as critical, has been found in KaiYuanTong ECT Platform up to 2.0.0. Affected by this issue is some unknown functionality of the file /public/server/runCode.php of the component HTTP POST Request Handler. The manipulation of the…
more
argument code leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated command injection in a public-facing web app (runCode.php) directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating and sanitizing the 'code' argument in the vulnerable /public/server/runCode.php HTTP POST handler.
Requires timely identification, reporting, and correction of the command injection flaw in the ECT Platform up to version 2.0.0.
Limits the scope and impact of arbitrary command execution by enforcing least privilege on the processes handling the injected code.