CVE-2025-3816
Published: 19 April 2025
Summary
CVE-2025-3816 is a medium-severity Command Injection (CWE-77) vulnerability in Westboy Cicadascms. Its CVSS base score is 5.1 (Medium).
Operationally, ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical vulnerability exists in westboy CicadasCMS version 2.0 within the Scheduled Task Handler component. The flaw resides in unknown code of the file /system/schedule/save and stems from improper handling of input that permits operating system command injection, as indicated by the associated CWE-77 and CWE-78 classifications. The issue is remotely triggerable and carries a CVSS 4.0 score of 5.1.
An attacker with high privileges can exploit the weakness over the network to inject and execute arbitrary operating system commands on the affected server. Public disclosure of the exploit code increases the likelihood that the technique could be incorporated into automated attacks or reused by other threat actors against unpatched installations.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0388 on 2026-02-13 before receding to its current value of 0.0088, indicating a period of increased exploitation interest after the initial disclosure. No official patches or mitigation guidance appear among the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11939
Vulnerability details
A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. The attack can be initiated remotely. The…
more
exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.