CVE-2025-52365
Published: 03 March 2026
Summary
CVE-2025-52365 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-52365, published on 2026-03-03, is a command injection vulnerability (CWE-77) in the szc script of the ccurtsinger/stabilizer GitHub repository. The flaw allows attackers to execute arbitrary system commands via unsanitized user input passed directly to os.system(). It arises from improper input handling, where command-line arguments are concatenated into shell commands without validation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires local access (AV:L) with low privileges (PR:L) and no user interaction (UI:N), enabling an attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although the description references remote attackers, the CVSS metrics specify a local attack vector. Successful exploitation grants arbitrary system command execution on the affected host.
Mitigation details and further analysis can be found in the referenced sources: the stabilizer repository at https://github.com/ccurtsinger/stabilizer/, the vulnerable szc script at https://github.com/ccurtsinger/stabilizer/blob/master/szc, and CVE research at https://github.com/h1dr1/CVE_Research/blob/main/CVE-2025-52365.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208230
Vulnerability details
A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system(). The vulnerability arises from improper input handling where command-line arguments are directly concatenated…
more
into shell commands without validation
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local command injection via unsanitized os.system() directly enables arbitrary Unix shell command execution (T1059.006) and supports privilege escalation from low-privileged local context to full system impact (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of unsanitized user inputs before concatenation into shell commands executed by os.system(), preventing command injection.
Mandates timely identification, reporting, and correction of the specific flaw in the szc script's improper input handling.
Enforces least privilege for the process running the szc script, limiting the scope and impact of arbitrary commands executed via injection.