CVE-2025-10659
Published: 30 September 2025
Summary
CVE-2025-10659 is a critical-severity OS Command Injection (CWE-78) vulnerability in Megasys (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Telenium Online Web Application contains a remotely exploitable command injection vulnerability in a PHP endpoint reachable by unauthenticated network users. The flaw stems from an insecurely terminated regular expression used to validate user-supplied input, allowing the supplied data to bypass sanitization and be passed directly to operating system command execution.
An attacker with no credentials can submit a crafted HTTP request to the affected endpoint and execute arbitrary commands on the underlying server under the privileges of the web application service account. The vulnerability carries a CVSS 4.0 score of 9.3, reflecting network attack vector, low complexity, and full impact to confidentiality, integrity, and availability without any required user interaction.
Vendor and CISA advisories published at support.portal.megasys.com and cisa.gov/news-events/ics-advisories/icsa-25-273-01 contain mitigation guidance for affected deployments. The associated EPSS score remains low, with a current value of 0.0128 and a peak of 0.0155.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31772
Vulnerability details
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the…
more
input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via OS command injection on a public-facing web app endpoint enables T1190 (Exploit Public-Facing Application) and arbitrary command execution via T1059 (Command and Scripting Interpreter).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires checking the validity of user-supplied input to the PHP endpoint, preventing OS command injection due to improper validation and sanitization.
Requires timely identification, reporting, and remediation of the specific flaw in regex termination and input handling that enables RCE.
Limits organization-defined permitted actions without identification or authentication, mitigating unauthenticated network access to the vulnerable endpoint.