Cyber Posture

CVE-2025-14700

Critical

Published: 17 December 2025

Published
17 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0011 29.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14700 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftycontrol Crafty Controller. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly addresses the input neutralization failure by requiring validation of inputs to the Webhook Template component, preventing SSTI and subsequent RCE.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, and correction of flaws like CVE-2025-14700, enabling patching of the SSTI vulnerability in Crafty Controller.

SI-9 Information Input Restrictions partial match
prevent

SI-9 restricts the types and amounts of information inputs to the Webhook Template component, mitigating SSTI by blocking malicious template payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

SSTI vulnerability in public-facing Webhook Template component enables remote code execution, directly facilitating T1221 (Template Injection) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Deeper analysisAI

CVE-2025-14700 is an input neutralization vulnerability (CWE-1336) affecting the Webhook Template component in Crafty Controller. This flaw enables server-side template injection (SSTI), allowing a remote, authenticated attacker to achieve remote code execution. The vulnerability was published on 2025-12-17 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its high impact and network accessibility.

An attacker requires only low privileges (PR:L) as an authenticated user to exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation grants full remote code execution on the server, compromising confidentiality, integrity, and availability with a scope change (S:C), potentially leading to complete system takeover.

The vulnerability is tracked in Crafty Controller's GitLab repository at https://gitlab.com/crafty-controller/crafty-4/-/issues/646, which serves as the primary advisory reference.

Details

CWE(s)
CWE-1336

Affected Products

craftycontrol
crafty controller
4.6.1

CVEs Like This One

CVE-2025-60355Shared CWE-1336
CVE-2025-68929Shared CWE-1336
CVE-2025-67843Shared CWE-1336
CVE-2025-64087Shared CWE-1336
CVE-2025-68454Shared CWE-1336
CVE-2025-59340Shared CWE-1336
CVE-2025-66294Shared CWE-1336
CVE-2025-53909Shared CWE-1336
CVE-2025-12107Shared CWE-1336
CVE-2025-66434Shared CWE-1336

References