CVE-2025-24962
Published: 03 February 2025
Summary
CVE-2025-24962 is a high-severity Injection (CWE-74) vulnerability in Yogeshojha Rengine. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
reNgine is an automated reconnaissance framework for web applications that is affected by a command injection vulnerability tracked as CVE-2025-24962. In vulnerable versions, an authenticated user can supply arbitrary commands through the nmap_cmd parameter, corresponding to CWE-74 injection flaws and rated 8.7 under CVSS 4.0.
An attacker with a low-privileged account can exploit the flaw remotely without user interaction to execute operating-system commands, resulting in high impact to confidentiality, integrity, and availability within the application's scope.
The project addressed the issue in commit c28e5c8d, which is expected to appear in the next release. The associated GitHub security advisory recommends that operators filter user-supplied input and watch for the patched version.
EPSS remains low at 0.0168 with no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3992
Vulnerability details
reNgine is an automated reconnaissance framework for web applications. In affected versions a user can inject commands via the nmap_cmd parameters. This issue has been addressed in commit `c28e5c8d` and is expected in the next versioned release. Users are advised…
more
to filter user input and monitor the project for a new release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in nmap_cmd parameter enables arbitrary command execution on the host via the Unix shell interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating and sanitizing user input in the nmap_cmd parameter as recommended in the advisory.
Remediates the specific command injection flaw by updating reNgine to the patched version incorporating commit c28e5c8d.
Scans for vulnerabilities like CVE-2025-24962 in reNgine to identify and prioritize remediation before exploitation.