CVE-2025-25940
Published: 10 March 2025
Summary
CVE-2025-25940 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Visicut Visicut. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
VisiCut version 2.1 is affected by an insecure XML deserialization vulnerability in the loadPlfFile method of VisicutModel.java. The flaw, tracked as CVE-2025-25940 and assigned CWE-502, permits remote code execution when untrusted XML content is processed, resulting in a CVSS 3.1 base score of 9.8.
An unauthenticated attacker can supply a malicious PLF file over the network and trigger arbitrary code execution with full confidentiality, integrity, and availability impact. No user interaction or privileges are required for successful exploitation.
The EPSS score remains low, with a current value of 0.0163 and a peak of 0.0223, indicating limited observed exploitation interest to date. The project repository and a dedicated advisory page are referenced for further technical details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7690
Vulnerability details
VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated arbitrary code execution via insecure XML deserialization directly enables exploitation of public-facing applications (T1190) and command/script execution on the target (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the insecure XML deserialization flaw in VisiCut's loadPlfFile method to eliminate arbitrary code execution.
Mandates validation of untrusted XML inputs prior to deserialization to block malicious payloads targeting the VisicutModel.java vulnerability.
Deploys memory protections such as DEP to prevent execution of arbitrary code resulting from insecure deserialization in VisiCut.