CVE-2025-3499
Published: 09 July 2025
Summary
CVE-2025-3499 is a critical-severity OS Command Injection (CWE-78) vulnerability in Gov (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).
Deeper analysis
The vulnerability CVE-2025-3499 is an OS command injection flaw (CWE-78) affecting a device that runs two web servers exposing unauthenticated REST APIs on the management network via TCP ports 8084 and 8086. The issue permits arbitrary commands to be supplied through these interfaces and executed by the underlying operating system.
An attacker with network access to the management interfaces can exploit the flaw without authentication or user interaction. Successful exploitation grants the ability to run commands with administrative privileges, resulting in full compromise of confidentiality, integrity, and availability with a scope change as reflected in the CVSS 10.0 rating.
The single reference points to an advisory hosted at https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3499. The EPSS score remains flat at a peak and current value of 0.0344 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20794
Vulnerability details
The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by…
more
the underlying operating system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via exposed REST API (T1190) enabling OS command execution (T1059.004 Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection (CWE-78) by validating inputs to the unauthenticated REST APIs on ports 8084 and 8086.
Limits or eliminates permitted administrative actions, such as command execution, without identification or authentication on the exposed APIs.
Restricts unnecessary web servers, functions, ports 8084 and 8086, or protocols to minimize exposure of vulnerable unauthenticated APIs.