Cyber Resilience

CVE-2025-5525

MediumPublic PoC

Published: 03 June 2025

Published
03 June 2025
Modified
06 June 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0317 87.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5525 is a medium-severity Command Injection (CWE-77) vulnerability in Jrohy Trojan. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-5525 is an OS command injection vulnerability in Jrohy trojan versions up to 2.15.3. It resides in the LogChan function within the trojan/util/linux.go file, where unsanitized input to the argument c is passed to operating system commands. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 6.3 reflecting network attack vector, high attack complexity, and limited impacts to confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to trigger command execution. Although the attack requires high complexity and is considered difficult to exploit in practice, the vector is remotely accessible without user interaction or privileges, allowing an adversary to run arbitrary operating system commands on the affected host.

Public proof-of-concept code has been released on GitHub demonstrating the injection, and the vulnerability was disclosed through Vuldb. The associated EPSS score has remained flat at 0.0317 with no material increase since publication, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

A vulnerability was found in Jrohy trojan up to 2.15.3. It has been declared as critical. This vulnerability affects the function LogChan of the file trojan/util/linux.go. The manipulation of the argument c leads to os command injection. The attack can…

more

be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

The OS command injection (CWE-78) in LogChan function of Jrohy trojan on Linux enables remote unauthenticated execution of arbitrary Unix shell commands, directly mapping to T1059.004 (Unix Shell) and T1202 (Indirect Command Execution) as noted in advisories.

Affected Assets

jrohy
trojan
2.0.0 — 2.15.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References