Cyber Resilience

CVE-2025-15540

HighRCE

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15540 is a high-severity Code Injection (CWE-94) vulnerability in Raytha Raytha. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-15540 is a code injection vulnerability (CWE-94) in the "Functions" module of Raytha CMS. This module enables privileged users to write custom JavaScript code to extend application functionality. Due to a lack of sandboxing or access restrictions, such JavaScript executed through the Functions feature can instantiate .NET components and perform arbitrary operations within the application's hosting environment. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with low privileges, such as authenticated users granted access to the Functions module, can exploit this over the network with low complexity and no user interaction required. By injecting malicious JavaScript, they can leverage .NET component instantiation to execute arbitrary code in the hosting environment, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full server compromise.

The vulnerability was fixed in Raytha CMS version 1.4.6. Additional mitigation details are available in the advisory at https://cert.pl/en/posts/2026/03/CVE-2025-69236 and on the vendor site at https://raytha.com.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary…

more

operations within the application’s hosting environment. This issue was fixed in version 1.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct JS code injection (CWE-94) without sandboxing enables arbitrary .NET execution via T1059.007; low-priv access to Functions module yields full code exec impact, mapping to T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69240Same product: Raytha Raytha
CVE-2025-69246Same product: Raytha Raytha
CVE-2026-43898Shared CWE-94
CVE-2026-27495Shared CWE-94
CVE-2026-27574Shared CWE-94
CVE-2026-30887Shared CWE-94
CVE-2025-25943Shared CWE-94
CVE-2025-33240Shared CWE-94
CVE-2025-64691Shared CWE-94
CVE-2026-26682Shared CWE-94

Affected Assets

raytha
raytha
≤ 1.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements process isolation mechanisms to sandbox execution of user-provided JavaScript in the Functions module, preventing instantiation of .NET components and arbitrary operations within the hosting environment.

prevent

Enforces software-based separation and policy mechanisms to restrict the operational scope of untrusted code executed via the Functions feature, mitigating lack of access restrictions.

prevent

Provides safeguards such as sandboxing or restrictions against malicious JavaScript mobile code execution through the Functions module, directly addressing the code injection vulnerability.

References