Cyber Resilience

CVE-2025-27106

HighRCE

Published: 21 February 2025

Published
21 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0199 84.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27106 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

binance-trading-bot, an automated Binance trading bot, contains a command-injection vulnerability in its /restore endpoint. The endpoint accepts an uploaded file whose name is passed directly to shell.exec after only path normalization, enabling arbitrary command execution on the underlying host when the endpoint is invoked.

Authenticated users can exploit the flaw by supplying a crafted filename during a restore operation, resulting in remote code execution with the privileges of the bot process. The issue affects any deployment exposing the webserver handlers to authorized accounts and carries a CVSS 4.0 score of 7.7 with the CWE-78 classification.

The project security advisory and accompanying commit indicate that the vulnerability is resolved in version 0.0.100; administrators are advised to upgrade immediately, as no workarounds are documented.

EPSS values rose from a low baseline to a recorded peak of 0.0450, indicating measurable post-disclosure exploitation interest that warrants renewed attention for exposed instances.

EU & UK References

Vulnerability details

binance-trading-bot is an automated Binance trading bot with trailing buy/sell strategy. Authenticated users of binance-trading-bot can achieve Remote Code Execution on the host system due to a command injection vulnerability in the `/restore` endpoint. The restore endpoint of binance-trading-bot is…

more

vulnerable to command injection via the `/restore` endpoint. The name of the uploaded file is passed to shell.exec without sanitization other than path normalization, resulting in Remote Code Execution. This may allow any authorized user to execute code in the context of the host machine. This issue has been addressed in version 0.0.100 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection via unsanitized filename in web /restore endpoint to shell.exec() enables RCE on public-facing app (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the uploaded filename at the /restore endpoint to block command injection into shell.exec().

prevent

Mandates timely remediation of the command injection flaw through patching to version 0.0.100 or later.

prevent

Enforces least privilege on the bot process to limit the scope and impact of RCE achieved via command injection.

References