CVE-2025-27106
Published: 21 February 2025
Summary
CVE-2025-27106 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
binance-trading-bot, an automated Binance trading bot, contains a command-injection vulnerability in its /restore endpoint. The endpoint accepts an uploaded file whose name is passed directly to shell.exec after only path normalization, enabling arbitrary command execution on the underlying host when the endpoint is invoked.
Authenticated users can exploit the flaw by supplying a crafted filename during a restore operation, resulting in remote code execution with the privileges of the bot process. The issue affects any deployment exposing the webserver handlers to authorized accounts and carries a CVSS 4.0 score of 7.7 with the CWE-78 classification.
The project security advisory and accompanying commit indicate that the vulnerability is resolved in version 0.0.100; administrators are advised to upgrade immediately, as no workarounds are documented.
EPSS values rose from a low baseline to a recorded peak of 0.0450, indicating measurable post-disclosure exploitation interest that warrants renewed attention for exposed instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5082
Vulnerability details
binance-trading-bot is an automated Binance trading bot with trailing buy/sell strategy. Authenticated users of binance-trading-bot can achieve Remote Code Execution on the host system due to a command injection vulnerability in the `/restore` endpoint. The restore endpoint of binance-trading-bot is…
more
vulnerable to command injection via the `/restore` endpoint. The name of the uploaded file is passed to shell.exec without sanitization other than path normalization, resulting in Remote Code Execution. This may allow any authorized user to execute code in the context of the host machine. This issue has been addressed in version 0.0.100 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via unsanitized filename in web /restore endpoint to shell.exec() enables RCE on public-facing app (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the uploaded filename at the /restore endpoint to block command injection into shell.exec().
Mandates timely remediation of the command injection flaw through patching to version 0.0.100 or later.
Enforces least privilege on the bot process to limit the scope and impact of RCE achieved via command injection.