CVE-2025-48501
Published: 07 July 2025
Summary
CVE-2025-48501 is a critical-severity OS Command Injection (CWE-78) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An OS command injection vulnerability tracked as CVE-2025-48501 affects Nimesa Backup and Recovery versions 2.3 and 2.4. The flaw, classified under CWE-78, permits execution of arbitrary operating system commands on the server hosting the product and carries a CVSS 4.0 score of 9.3 reflecting network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated remote attacker can send specially crafted input to the affected backup and recovery application, resulting in full control over the underlying server with impacts to confidentiality, integrity, and availability. Exploitation requires no privileges or user interaction, enabling direct command execution from the network.
Public advisories referencing the issue are available from the Japan Vulnerability Notes project at https://jvn.jp/en/jp/JVN88251376/ and the AWS Marketplace seller profile for the vendor at https://aws.amazon.com/marketplace/seller-profile?id=08fb48d1-5d60-4feb-93c6-c0c219278a2c. The current and peak EPSS scores remain at 0.0138 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20191
Vulnerability details
An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.