CVE-2025-3322
Published: 06 June 2025
Summary
CVE-2025-3322 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Bbraun (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-3322 stems from improper neutralization of inputs used in an expression language, tracked as CWE-917. This flaw resides in a server-side component and permits remote code execution with the highest privileges. It received a maximum CVSS 4.0 score of 10.0 reflecting network attack vector, low complexity, and no prerequisites for authentication or user interaction, resulting in total loss of confidentiality, integrity, and availability on the affected system and its security scope.
An unauthenticated remote attacker can supply crafted inputs that are evaluated by the expression language engine, achieving arbitrary code execution at root or equivalent level. Successful exploitation grants full control over the server, enabling data exfiltration, system modification, or denial of service without any local access or user assistance.
The vendor advisory published at https://www.bbraun.com/productsecurity outlines mitigation guidance for the affected products.
EPSS for this CVE has remained flat at 0.0221 with no material rise from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17092
Vulnerability details
An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.