Cyber Resilience

CVE-2025-30091

Critical

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0140 80.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30091 is a critical-severity Static Code Injection (CWE-96) vulnerability in Moxiemanager (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Tiny MoxieManager PHP before version 4.0.0 contains a remote code execution vulnerability in its installer command. The flaw stems from CWE-96 and permits unauthenticated insertion of attacker-controlled data via InstallCommand directly into the generated config.php file, with the command remaining reachable even after initial setup completes. The issue carries a CVSS 4.0 score of 9.4 reflecting network-accessible, low-complexity exploitation with high impact across confidentiality, integrity, and availability.

An attacker can supply malicious input to InstallCommand to write and execute arbitrary PHP code on the server. Because the endpoint stays available post-installation and requires no authentication, the attack can be launched remotely by any party able to reach the MoxieManager instance, resulting in full compromise of the affected web application and underlying host.

Public advisories and the product changelog at moxiemanager.com address the issue under identifier SEC-1063 and document the availability of version 4.0.0 as the corrective release. The associated EPSS score remains low, with a current value of 0.0140 and a peak of only 0.0168.

EU & UK References

Vulnerability details

In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after…

more

an installation has completed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Moxiemanager
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-96

Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.

References