Cyber Resilience

CVE-2025-24962

HighPublic PoC

Published: 03 February 2025

Published
03 February 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0168 82.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24962 is a high-severity Injection (CWE-74) vulnerability in Yogeshojha Rengine. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

reNgine is an automated reconnaissance framework for web applications that is affected by a command injection vulnerability tracked as CVE-2025-24962. In vulnerable versions, an authenticated user can supply arbitrary commands through the nmap_cmd parameter, corresponding to CWE-74 injection flaws and rated 8.7 under CVSS 4.0.

An attacker with a low-privileged account can exploit the flaw remotely without user interaction to execute operating-system commands, resulting in high impact to confidentiality, integrity, and availability within the application's scope.

The project addressed the issue in commit c28e5c8d, which is expected to appear in the next release. The associated GitHub security advisory recommends that operators filter user-supplied input and watch for the patched version.

EPSS remains low at 0.0168 with no material increase from its recorded peak.

EU & UK References

Vulnerability details

reNgine is an automated reconnaissance framework for web applications. In affected versions a user can inject commands via the nmap_cmd parameters. This issue has been addressed in commit `c28e5c8d` and is expected in the next versioned release. Users are advised…

more

to filter user input and monitor the project for a new release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in nmap_cmd parameter enables arbitrary command execution on the host via the Unix shell interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-58287Same product: Yogeshojha Rengine
CVE-2025-24968Same product: Yogeshojha Rengine
CVE-2025-24899Same product: Yogeshojha Rengine
CVE-2024-39784Shared CWE-74
CVE-2024-39785Shared CWE-74
CVE-2024-34544Shared CWE-74
CVE-2025-24364Shared CWE-74
CVE-2026-3065Shared CWE-74
CVE-2025-20265Shared CWE-74
CVE-2024-36295Shared CWE-74

Affected Assets

yogeshojha
rengine
2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing user input in the nmap_cmd parameter as recommended in the advisory.

prevent

Remediates the specific command injection flaw by updating reNgine to the patched version incorporating commit c28e5c8d.

detect

Scans for vulnerabilities like CVE-2025-24962 in reNgine to identify and prioritize remediation before exploitation.

References