CVE-2025-15540

HighRCE

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15540 is a high-severity Code Injection (CWE-94) vulnerability in Raytha Raytha. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-39 Process Isolation good match

prevent

Implements process isolation mechanisms to sandbox execution of user-provided JavaScript in the Functions module, preventing instantiation of .NET components and arbitrary operations within the hosting environment.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces software-based separation and policy mechanisms to restrict the operational scope of untrusted code executed via the Functions feature, mitigating lack of access restrictions.

SC-18 Mobile Code good match

prevent

Provides safeguards such as sandboxing or restrictions against malicious JavaScript mobile code execution through the Functions module, directly addressing the code injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct JS code injection (CWE-94) without sandboxing enables arbitrary .NET execution via T1059.007; low-priv access to Functions module yields full code exec impact, mapping to T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary…

operations within the application’s hosting environment. This issue was fixed in version 1.4.6.

Deeper analysisAI

CVE-2025-15540 is a code injection vulnerability (CWE-94) in the "Functions" module of Raytha CMS. This module enables privileged users to write custom JavaScript code to extend application functionality. Due to a lack of sandboxing or access restrictions, such JavaScript executed through the Functions feature can instantiate .NET components and perform arbitrary operations within the application's hosting environment. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with low privileges, such as authenticated users granted access to the Functions module, can exploit this over the network with low complexity and no user interaction required. By injecting malicious JavaScript, they can leverage .NET component instantiation to execute arbitrary code in the hosting environment, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full server compromise.

The vulnerability was fixed in Raytha CMS version 1.4.6. Additional mitigation details are available in the advisory at https://cert.pl/en/posts/2026/03/CVE-2025-69236 and on the vendor site at https://raytha.com.