Cyber Resilience

CVE-2025-25940

CriticalPublic PoCRCE

Published: 10 March 2025

Published
10 March 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0163 82.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25940 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Visicut Visicut. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

VisiCut version 2.1 is affected by an insecure XML deserialization vulnerability in the loadPlfFile method of VisicutModel.java. The flaw, tracked as CVE-2025-25940 and assigned CWE-502, permits remote code execution when untrusted XML content is processed, resulting in a CVSS 3.1 base score of 9.8.

An unauthenticated attacker can supply a malicious PLF file over the network and trigger arbitrary code execution with full confidentiality, integrity, and availability impact. No user interaction or privileges are required for successful exploitation.

The EPSS score remains low, with a current value of 0.0163 and a peak of 0.0223, indicating limited observed exploitation interest to date. The project repository and a dedicated advisory page are referenced for further technical details.

EU & UK References

Vulnerability details

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated arbitrary code execution via insecure XML deserialization directly enables exploitation of public-facing applications (T1190) and command/script execution on the target (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29782Shared CWE-502
CVE-2026-42778Shared CWE-502
CVE-2025-68047Shared CWE-502
CVE-2026-22345Shared CWE-502
CVE-2024-28988Shared CWE-502
CVE-2026-47161Shared CWE-502
CVE-2024-9664Shared CWE-502
CVE-2026-24385Shared CWE-502
CVE-2026-27084Shared CWE-502
CVE-2025-42944Shared CWE-502

Affected Assets

visicut
visicut
2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the insecure XML deserialization flaw in VisiCut's loadPlfFile method to eliminate arbitrary code execution.

prevent

Mandates validation of untrusted XML inputs prior to deserialization to block malicious payloads targeting the VisicutModel.java vulnerability.

prevent

Deploys memory protections such as DEP to prevent execution of arbitrary code resulting from insecure deserialization in VisiCut.

References