Cyber Resilience

CVE-2025-52365

High

Published: 03 March 2026

Published
03 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52365 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52365, published on 2026-03-03, is a command injection vulnerability (CWE-77) in the szc script of the ccurtsinger/stabilizer GitHub repository. The flaw allows attackers to execute arbitrary system commands via unsanitized user input passed directly to os.system(). It arises from improper input handling, where command-line arguments are concatenated into shell commands without validation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires local access (AV:L) with low privileges (PR:L) and no user interaction (UI:N), enabling an attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although the description references remote attackers, the CVSS metrics specify a local attack vector. Successful exploitation grants arbitrary system command execution on the affected host.

Mitigation details and further analysis can be found in the referenced sources: the stabilizer repository at https://github.com/ccurtsinger/stabilizer/, the vulnerable szc script at https://github.com/ccurtsinger/stabilizer/blob/master/szc, and CVE research at https://github.com/h1dr1/CVE_Research/blob/main/CVE-2025-52365.md.

EU & UK References

Vulnerability details

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system(). The vulnerability arises from improper input handling where command-line arguments are directly concatenated…

more

into shell commands without validation

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local command injection via unsanitized os.system() directly enables arbitrary Unix shell command execution (T1059.006) and supports privilege escalation from low-privileged local context to full system impact (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46662Shared CWE-77
CVE-2026-23862Shared CWE-77
CVE-2025-64671Shared CWE-77
CVE-2026-40698Shared CWE-77
CVE-2025-55125Shared CWE-77
CVE-2026-41953Shared CWE-77
CVE-2026-30898Shared CWE-77
CVE-2026-38707Shared CWE-77
CVE-2024-53412Shared CWE-77
CVE-2026-3517Shared CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of unsanitized user inputs before concatenation into shell commands executed by os.system(), preventing command injection.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in the szc script's improper input handling.

prevent

Enforces least privilege for the process running the szc script, limiting the scope and impact of arbitrary commands executed via injection.

References