Cyber Resilience

CVE-2025-3816

MediumPublic PoC

Published: 19 April 2025

Published
19 April 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0088 75.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3816 is a medium-severity Command Injection (CWE-77) vulnerability in Westboy Cicadascms. Its CVSS base score is 5.1 (Medium).

Operationally, ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical vulnerability exists in westboy CicadasCMS version 2.0 within the Scheduled Task Handler component. The flaw resides in unknown code of the file /system/schedule/save and stems from improper handling of input that permits operating system command injection, as indicated by the associated CWE-77 and CWE-78 classifications. The issue is remotely triggerable and carries a CVSS 4.0 score of 5.1.

An attacker with high privileges can exploit the weakness over the network to inject and execute arbitrary operating system commands on the affected server. Public disclosure of the exploit code increases the likelihood that the technique could be incorporated into automated attacks or reused by other threat actors against unpatched installations.

The EPSS score for this CVE rose from a low baseline to a peak of 0.0388 on 2026-02-13 before receding to its current value of 0.0088, indicating a period of increased exploitation interest after the initial disclosure. No official patches or mitigation guidance appear among the referenced sources.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. The attack can be initiated remotely. The…

more

exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

westboy
cicadascms
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References