Cyber Resilience

CVE-2025-1947

MediumPublic PoC

Published: 04 March 2025

Published
04 March 2025
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0222 84.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1947 is a medium-severity Injection (CWE-74) vulnerability in Hzmanyun Education And Training System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A critical command injection vulnerability has been identified in hzmanyun Education and Training System version 2.1.3, specifically in the scorm function of UploadImageController.java. The flaw arises from improper handling of the param argument, which maps to CWE-74 and CWE-77 and permits arbitrary command execution when manipulated by an attacker.

The issue can be triggered remotely by an authenticated user with low privileges, allowing the attacker to inject and execute operating system commands on the affected server. CVSS 4.0 scoring rates the impact as limited to confidentiality, integrity, and availability on the vulnerable component itself, without broader scope effects.

Public references including a detailed disclosure on GitHub and entries in Vuldb indicate the exploit has already been published, though no official patch or mitigation guidance is described in the available advisories. The associated EPSS score rose from a low baseline to a peak of 0.0388 before settling at 0.0222, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the…

more

attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability in a public-facing web application (UploadImageController) directly enables exploitation of public-facing apps (T1190) and arbitrary command execution via command/scripting interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1946Same product: Hzmanyun Education And Training System
CVE-2025-1676Same product: Hzmanyun Education And Training System
CVE-2025-1555Same product: Hzmanyun Education And Training System
CVE-2025-15131Shared CWE-74, CWE-77
CVE-2026-1687Shared CWE-74, CWE-77
CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77

Affected Assets

hzmanyun
education and training system
2.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the untrusted 'param' argument in UploadImageController.java's scorm function to block command injection payloads.

prevent

Requires timely identification, reporting, and correction of the specific command injection flaw in hzmanyun Education and Training System 2.1.3.

detectrespond

Vulnerability scanning detects the publicly disclosed command injection vulnerability (CVE-2025-1947) in the affected system for prompt remediation.

References