CVE-2025-50572
Published: 31 July 2025
Summary
CVE-2025-50572 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Archer (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters information in exported CSV files to neutralize crafted inputs that could execute arbitrary code when opened in compatible applications like spreadsheets.
Validates all unauthenticated remote inputs to the Archer system to reject malicious payloads designed for CSV injection and subsequent code execution.
Identifies, prioritizes, and remediates the specific flaw in Archer 6.11.00204.10014 enabling unsanitized CSV exports leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct CSV/formula injection (CWE-1236) enables delivery of malicious file that executes arbitrary code on open in spreadsheet apps.
NVD Description
Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a…
more
valid vulnerability report against their product.
Deeper analysisAI
CVE-2025-50572 is a vulnerability in Archer version 6.11.00204.10014 that enables attackers to execute arbitrary code through crafted system inputs. These inputs are exported into CSV files, where they can be executed when a user opens the file using compatible applications such as spreadsheet software. The issue is classified under CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts. The vulnerability was published on 2025-07-31.
An unauthenticated remote attacker with network access can exploit this vulnerability with low complexity by submitting malicious inputs into the system. Exploitation requires user interaction, specifically a targeted user opening the exported CSV file in a vulnerable application. Successful exploitation allows the attacker to achieve arbitrary code execution on the victim's system, potentially leading to full compromise including data theft, malware deployment, or further lateral movement.
Advisories and references, including those from archer.com, rsa.com, a GitHub repository detailing CSV injection for command execution (github.com/shorooq-hummdi/Archer-csv-injection-command-exec), and an Archer IRM community blog on formula injection in RSA Archer 6.1.x and higher, provide technical details on the issue. Notably, the supplier does not accept this as a valid vulnerability report against their product, and no specific patches or mitigations are detailed in the available information.
In context, this appears to be a disputed CSV injection vector without confirmed real-world exploitation reports in the provided data.
Details
- CWE(s)