CVE-2025-15389
Published: 31 December 2025
Summary
CVE-2025-15389 is a high-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15389 is an OS Command Injection vulnerability (CWE-78) affecting the VPN Firewall developed by QNO Technology. Published on 2025-12-31, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Authenticated remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows them to inject and execute arbitrary OS commands on the affected server, potentially leading to full system compromise.
Mitigation details are provided in advisories from TWCERT/CC, available at https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html and https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205916
Vulnerability details
VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an OS command injection in a network-accessible VPN Firewall, enabling remote exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs to directly prevent OS command injection attacks like CVE-2025-15389.
SI-2 mandates timely identification, reporting, and correction of flaws, directly mitigating this specific command injection vulnerability through patching.
AC-6 enforces least privilege, limiting the impact of arbitrary OS commands executed by low-privileged authenticated attackers exploiting the vulnerability.