Cyber Resilience

CVE-2025-48501

CriticalRCE

Published: 07 July 2025

Published
07 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0138 80.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48501 is a critical-severity OS Command Injection (CWE-78) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability tracked as CVE-2025-48501 affects Nimesa Backup and Recovery versions 2.3 and 2.4. The flaw, classified under CWE-78, permits execution of arbitrary operating system commands on the server hosting the product and carries a CVSS 4.0 score of 9.3 reflecting network attack vector, low complexity, and no required authentication or user interaction.

An unauthenticated remote attacker can send specially crafted input to the affected backup and recovery application, resulting in full control over the underlying server with impacts to confidentiality, integrity, and availability. Exploitation requires no privileges or user interaction, enabling direct command execution from the network.

Public advisories referencing the issue are available from the Japan Vulnerability Notes project at https://jvn.jp/en/jp/JVN88251376/ and the AWS Marketplace seller profile for the vendor at https://aws.amazon.com/marketplace/seller-profile?id=08fb48d1-5d60-4feb-93c6-c0c219278a2c. The current and peak EPSS scores remain at 0.0138 with no material increase observed.

EU & UK References

Vulnerability details

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References