CVE-2025-20016
Published: 14 January 2025
Summary
CVE-2025-20016 is a high-severity OS Command Injection (CWE-78) vulnerability in Jvn (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-20016 is an OS command injection vulnerability, tracked under CWE-78, that affects the web management interface of Y'S corporation STEALTHONE D220, D340, and D440 network storage servers. The flaw permits an authenticated administrator to supply crafted input that results in execution of arbitrary operating-system commands on the underlying host.
An attacker who already possesses administrative credentials and network access to the management page can leverage the injection to achieve full control over the affected appliance, including the ability to read, modify, or delete data and to alter system behavior. The reported CVSS 7.2 score reflects the high impact across confidentiality, integrity, and availability when the required administrative privileges are present.
Vendor advisories referenced in JVN VU99653331 and the STEALTHONE firmware release notes indicate that the issue is addressed by applying the updated firmware versions D220/D340 v6-03-03 or D440 v7-00-11. Administrators are advised to install these releases and restrict management-interface exposure.
The EPSS score rose from a low baseline to a peak of 0.0207 on 2025-12-11 before receding to its current value of 0.0071, indicating a measurable but temporary increase in exploitation interest after public disclosure. No confirmed in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2141
Vulnerability details
OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340/D440 provided by Y'S corporation. A user with an administrative privilege who logged in to the web management page of the affected product may execute an arbitrary OS command.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web management interface directly enables exploitation of the app (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-20016 by requiring timely application of vendor firmware updates that remediate the OS command injection vulnerability in the web management interface.
Prevents exploitation of the OS command injection vulnerability by validating and sanitizing user inputs submitted via the web management page.
Reduces the impact of successful command injection by enforcing least privilege on the processes handling web management requests, limiting arbitrary OS command execution.