Cyber Resilience

CVE-2025-15060

CriticalRCE

Published: 16 March 2026

Published
16 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0163 73.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15060 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability is a command injection flaw resulting in remote code execution, tracked as CVE-2025-15060 and originally ZDI-CAN-27785. It affects the executeClaudeCode method in claude-hovercraft, where a user-supplied string is used in a system call without proper validation. The issue carries a CVSS score of 9.8 and is classified under CWE-78.

Remote attackers require no authentication to exploit the flaw over the network. Successful exploitation allows arbitrary code execution in the context of the service account running the affected software.

The Zero Day Initiative has published advisory ZDI-26-124 covering the issue. The EPSS score remains flat at 0.0174 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeClaudeCode…

more

method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785.

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-41276Shared CWE-78
CVE-2026-28463Shared CWE-78
CVE-2024-55590Shared CWE-78
CVE-2026-23678Shared CWE-78
CVE-2025-56089Shared CWE-78
CVE-2025-56087Shared CWE-78
CVE-2025-10230Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2026-28470Shared CWE-78

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input before it is used in system calls, blocking the command-injection flaw in executeClaudeCode.

prevent

Limits privileges of the service account under which injected commands would execute, reducing the impact of successful exploitation.

prevent

Restricts the system to only necessary functions and disables dangerous command interpreters or utilities that enable the RCE.

References