CVE-2025-1947
Published: 04 March 2025
Summary
CVE-2025-1947 is a medium-severity Injection (CWE-74) vulnerability in Hzmanyun Education And Training System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A critical command injection vulnerability has been identified in hzmanyun Education and Training System version 2.1.3, specifically in the scorm function of UploadImageController.java. The flaw arises from improper handling of the param argument, which maps to CWE-74 and CWE-77 and permits arbitrary command execution when manipulated by an attacker.
The issue can be triggered remotely by an authenticated user with low privileges, allowing the attacker to inject and execute operating system commands on the affected server. CVSS 4.0 scoring rates the impact as limited to confidentiality, integrity, and availability on the vulnerable component itself, without broader scope effects.
Public references including a detailed disclosure on GitHub and entries in Vuldb indicate the exploit has already been published, though no official patch or mitigation guidance is described in the available advisories. The associated EPSS score rose from a low baseline to a peak of 0.0388 before settling at 0.0222, indicating emerging exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7447
Vulnerability details
A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the…
more
attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in a public-facing web application (UploadImageController) directly enables exploitation of public-facing apps (T1190) and arbitrary command execution via command/scripting interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the untrusted 'param' argument in UploadImageController.java's scorm function to block command injection payloads.
Requires timely identification, reporting, and correction of the specific command injection flaw in hzmanyun Education and Training System 2.1.3.
Vulnerability scanning detects the publicly disclosed command injection vulnerability (CVE-2025-1947) in the affected system for prompt remediation.