Cyber Resilience

CVE-2025-54374

HighPublic PoCRCE

Published: 03 October 2025

Published
03 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54374 is a high-severity Code Injection (CWE-94) vulnerability in Mayneyao Eidos. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-54374 is a one-click remote code execution vulnerability (CWE-94) affecting Eidos, an extensible framework for Personal Data Management. The flaw exists in versions 0.21.0 and below, specifically within the application's custom URL handler for the "eidos:" protocol. When triggered, the handler processes malicious payloads without sufficient validation, enabling arbitrary code execution on the victim's local machine. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for complete system compromise.

Attackers can exploit this vulnerability without privileges by embedding a specially crafted "eidos:" URL on any website they control or compromise. A victim simply needs to visit the site or click the link, prompting their browser to invoke the Eidos application's URL handler. This launches the app and executes the embedded payload, granting the attacker remote code execution on the victim's machine with full confidentiality, integrity, and availability impacts.

The primary advisory, published via GitHub Security Advisory GHSA-qhhm-56qp-xr2r, confirms no patch or fix is available as of October 3, 2025. Security practitioners should advise users to avoid clicking suspicious "eidos:" links, disable the custom URL handler if possible, or uninstall Eidos until a remediation is released. Monitoring for exploitation attempts targeting Eidos users remains critical in the interim.

EU & UK References

Vulnerability details

Eidos is an extensible framework for Personal Data Management. Versions 0.21.0 and below contain a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted eidos: URL on any website, including a malicious one…

more

they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (eidos:), causing the Eidos application to launch and process the URL, leading to remote code execution on the victim’s machine. This issue does not have a fix as of October 3, 2025

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The vulnerability enables remote code execution via exploitation of a client application (Eidos) triggered by a malicious 'eidos:' URL link, directly mapping to Exploitation for Client Execution (T1203) and User Execution via Malicious Link (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33336Shared CWE-94
CVE-2026-0500Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2026-21853Shared CWE-94
CVE-2024-57061Shared CWE-94
CVE-2025-25467Shared CWE-94
CVE-2024-43767Shared CWE-94
CVE-2026-43874Shared CWE-94
CVE-2026-44006Shared CWE-94

Affected Assets

mayneyao
eidos
≤ 0.21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of validation in Eidos' custom eidos: URL handler, preventing processing of malicious payloads leading to RCE.

preventrecover

Mandates timely identification, reporting, and correction of flaws like CVE-2025-54374, such as uninstalling vulnerable Eidos versions.

prevent

Restricts user-installed software, preventing deployment of vulnerable applications like Eidos with exploitable custom URL handlers.

References