CVE-2025-25067
Published: 13 February 2025
Summary
CVE-2025-25067 is a critical-severity OS Command Injection (CWE-78) vulnerability in Myscada Mypro. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
mySCADA myPRO Manager contains an OS command injection vulnerability tracked as CVE-2025-25067 and CWE-78. The flaw allows arbitrary operating-system command execution and is rated 9.3 under CVSS 4.0 with a network attack vector, low complexity, and no authentication or user-interaction requirements.
An unauthenticated remote attacker can send crafted input to the affected component and obtain full control over confidentiality, integrity, and availability of the host system. Exploitation requires only network reachability to the manager service.
The CISA advisory ICSA-25-044-16 and vendor pages at myscada.org supply mitigation guidance and updated downloads. The associated EPSS score remains flat at 0.0124 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4009
Vulnerability details
mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection in public-facing app directly enables T1190 for initial access via exploitation and T1059 for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws such as the OS command injection vulnerability in CVE-2025-25067, including applying vendor patches.
SI-10 enforces validation of all inputs to mySCADA myPRO Manager, directly preventing malicious payloads from enabling OS command injection in CVE-2025-25067.
SI-4 provides continuous monitoring to identify indicators of successful OS command injection exploitation from CVE-2025-25067, such as anomalous processes or system calls.