CVE-2025-43920
Published: 20 April 2025
Summary
CVE-2025-43920 is a medium-severity OS Command Injection (CWE-78) vulnerability in Gnu Mailman. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
GNU Mailman 2.1.39, as included in cPanel and WHM installations, contains an OS command injection flaw (CWE-78) that affects certain external archiver configurations. The vulnerability permits unauthenticated remote attackers to supply shell metacharacters in an email Subject header, resulting in arbitrary command execution on the underlying system. The issue carries a CVSS 3.1 score of 5.4 reflecting high attack complexity and limited impact scope.
An attacker can exploit the flaw by sending a single crafted email whose Subject line reaches the archiver code path; successful exploitation yields limited confidentiality and integrity impact without requiring authentication or user interaction. Multiple third-party reports indicate the condition could not be reproduced under either cPanel or standalone Mailman deployments.
Public references include the upstream Mailman 2.1 branch, a cPanel-specific Python 3 port, an oss-security disclosure thread, and a proof-of-concept repository. No official patch or configuration workaround details are provided in the available references. The associated EPSS score remains low, with a current value of 0.0096 and a peak of 0.0137.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12591
Vulnerability details
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to…
more
reproduce this, regardless of whether cPanel or WHM is used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-43920 enables unauthenticated remote exploitation of a public-facing mailing list service (GNU Mailman) via crafted email subject lines containing shell metacharacters (T1190), resulting in arbitrary Unix shell command execution when external archiver is configured (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.