CVE-2025-1845
Published: 03 March 2025
Summary
CVE-2025-1845 is a medium-severity Injection (CWE-74) vulnerability in Esafenet Dsm. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability exists in ESAFENET DSM version 3.1.2 within the examExportPDF function of the file /admin/plan/examExportPDF. The flaw is triggered by unsanitized input to the argument s and is tracked under CWE-74 and CWE-77. It received a CVSS 4.0 score of 5.3 and can be reached over the network.
An authenticated attacker with low privileges can supply a crafted s parameter to the endpoint and execute arbitrary operating-system commands on the server. The attack requires no user interaction and has been publicly disclosed with a working proof-of-concept.
No vendor patch or official advisory has been issued; the vendor was notified but did not respond. Public references consist of a GitHub report and Vuldb entries that document the issue and exploit details. The associated EPSS score remains low, moving only from 0.0077 to a peak of 0.0121.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5833
Vulnerability details
A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Affected by this vulnerability is the function examExportPDF of the file /admin/plan/examExportPDF. The manipulation of the argument s leads to command injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing web function directly enables remote exploitation (T1190) and arbitrary command execution via system interpreter (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes the 's' argument in the examExportPDF function to prevent command injection exploitation.
Requires identification, reporting, and remediation of the command injection flaw in ESAFENET DSM 3.1.2 to eliminate the vulnerability.
Restricts the type, size, and quantity of the 's' argument inputs to block malicious command injection payloads.