CVE-2025-1546
Published: 21 February 2025
Summary
CVE-2025-1546 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation of the vulnerable start_code input parameter in the log_operate_clear function.
SI-2 mandates timely identification, reporting, and correction of the specific software flaw enabling command injection in this CVE.
SC-7 mitigates remote exploitation by monitoring and controlling network access to the vulnerable /webui/modules/log/operate.mds endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote OS command injection in a network-accessible web endpoint enables unauthenticated exploitation of a public-facing application (T1190) and arbitrary command execution via the system's command interpreter (T1059).
NVD Description
A vulnerability has been found in BDCOM Behavior Management and Auditing System up to 20250210 and classified as critical. Affected by this vulnerability is the function log_operate_clear of the file /webui/modules/log/operate.mds. The manipulation of the argument start_code leads to os…
more
command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1546 is a critical OS command injection vulnerability affecting the BDCOM Behavior Management and Auditing System versions up to 20250210. The issue resides in the log_operate_clear function within the file /webui/modules/log/operate.mds, where manipulation of the start_code argument enables attackers to inject arbitrary operating system commands. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows injection and execution of OS commands, potentially resulting in limited impacts to confidentiality, integrity, and availability, such as data exfiltration, modification of system files, or denial of service on the targeted system. A proof-of-concept exploit has been publicly disclosed and may be actively used.
Advisories from VulDB and a related GitHub repository document the vulnerability but note that the vendor was contacted early without any response or patch release. Security practitioners should isolate affected systems, monitor for suspicious log_operate_clear requests, and apply network controls to block unauthorized access to the /webui/modules/log/operate.mds endpoint until a vendor fix is available.
Details
- CWE(s)