CVE-2025-41717

HighRCE

Published: 13 January 2026

Published

13 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0005 14.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41717 is a high-severity Code Injection (CWE-94) vulnerability in Certvde (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-3 (Configuration Change Control).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents code injection by requiring validation and sanitization of inputs to the config-upload endpoint, addressing the improper control of code generation.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

SI-7 monitors the integrity of software, firmware, and configuration information to detect alterations from malicious payloads before or during execution as root.

CM-3 Configuration Change Control partial match

prevent

CM-3 establishes configuration change control processes to review and approve uploads to the config-upload endpoint, mitigating risks from tricked high-privileged users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing config-upload endpoint directly enables remote exploitation for code injection/RCE (T1190); requires social engineering to induce privileged user to upload/execute malicious payload (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control…

of code generation ('Code Injection’).

Deeper analysisAI

CVE-2025-41717, published on 2026-01-13, is a code injection vulnerability (CWE-94) stemming from improper control of code generation in the config-upload endpoint. It enables an unauthenticated remote attacker to trick a high-privileged user into uploading a malicious payload, resulting in code injection executed as root. The flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no required privileges, but user interaction, and high impacts on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit this vulnerability by socially engineering a high-privileged user to interact with the config-upload endpoint and upload a crafted malicious payload. Successful exploitation leads to arbitrary code execution as root, compromising the entire system with a total loss of confidentiality, availability, and integrity.

Advisories and additional details are available in the referenced sources, including https://certvde.com/de/advisories/VDE-2025-073 and http://seclists.org/fulldisclosure/2026/Feb/3.