Cyber Resilience

CVE-2025-3322

CriticalRCE

Published: 06 June 2025

Published
06 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0221 84.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3322 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Bbraun (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-3322 stems from improper neutralization of inputs used in an expression language, tracked as CWE-917. This flaw resides in a server-side component and permits remote code execution with the highest privileges. It received a maximum CVSS 4.0 score of 10.0 reflecting network attack vector, low complexity, and no prerequisites for authentication or user interaction, resulting in total loss of confidentiality, integrity, and availability on the affected system and its security scope.

An unauthenticated remote attacker can supply crafted inputs that are evaluated by the expression language engine, achieving arbitrary code execution at root or equivalent level. Successful exploitation grants full control over the server, enabling data exfiltration, system modification, or denial of service without any local access or user assistance.

The vendor advisory published at https://www.bbraun.com/productsecurity outlines mitigation guidance for the affected products.

EPSS for this CVE has remained flat at 0.0221 with no material rise from its initial value.

EU & UK References

Vulnerability details

An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Bbraun
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References