CVE-2025-3626
Published: 07 July 2025
Summary
CVE-2025-3626 is a critical-severity OS Command Injection (CWE-78) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an OS Command Injection flaw (CWE-78) that occurs during upload of a configuration file through the webUI. It affects a device whose web management interface accepts and processes these files without proper neutralization of special elements, enabling execution of arbitrary operating-system commands.
A remote attacker who already possesses administrator credentials can exploit the issue over the network. Successful exploitation grants the attacker full control of the device, including the ability to read, modify, or delete data and alter device behavior at the highest privilege level.
The referenced advisory VDE-2025-030 at certvde.com provides vendor guidance on mitigation steps and any available patches or workarounds. The EPSS score has remained flat at 0.0113 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20202
Vulnerability details
A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.