Cyber Resilience

CVE-2025-10659

CriticalRCE

Published: 30 September 2025

Published
30 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0128 80.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10659 is a critical-severity OS Command Injection (CWE-78) vulnerability in Megasys (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Telenium Online Web Application contains a remotely exploitable command injection vulnerability in a PHP endpoint reachable by unauthenticated network users. The flaw stems from an insecurely terminated regular expression used to validate user-supplied input, allowing the supplied data to bypass sanitization and be passed directly to operating system command execution.

An attacker with no credentials can submit a crafted HTTP request to the affected endpoint and execute arbitrary commands on the underlying server under the privileges of the web application service account. The vulnerability carries a CVSS 4.0 score of 9.3, reflecting network attack vector, low complexity, and full impact to confidentiality, integrity, and availability without any required user interaction.

Vendor and CISA advisories published at support.portal.megasys.com and cisa.gov/news-events/ics-advisories/icsa-25-273-01 contain mitigation guidance for affected deployments. The associated EPSS score remains low, with a current value of 0.0128 and a peak of 0.0155.

EU & UK References

Vulnerability details

The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the…

more

input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct unauthenticated RCE via OS command injection on a public-facing web app endpoint enables T1190 (Exploit Public-Facing Application) and arbitrary command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-60962Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2026-30880Shared CWE-78
CVE-2025-64124Shared CWE-78
CVE-2024-58274Shared CWE-78
CVE-2026-34188Shared CWE-78
CVE-2025-0680Shared CWE-78
CVE-2026-5965Shared CWE-78
CVE-2025-50194Shared CWE-78
CVE-2026-44590Shared CWE-78

Affected Assets

Megasys
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires checking the validity of user-supplied input to the PHP endpoint, preventing OS command injection due to improper validation and sanitization.

prevent

Requires timely identification, reporting, and remediation of the specific flaw in regex termination and input handling that enables RCE.

prevent

Limits organization-defined permitted actions without identification or authentication, mitigating unauthenticated network access to the vulnerable endpoint.

References