Cyber Resilience

CVE-2025-55294

CriticalRCE

Published: 19 August 2025

Published
19 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 70.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55294 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55294 is a command injection vulnerability (CWE-77) in the screenshot-desktop library, a tool for capturing screenshots of the local machine. The flaw arises when user-controlled input supplied to the "format" option of the screenshot function is directly interpolated into a shell command without sanitization, enabling arbitrary command execution with the privileges of the calling process. This issue affects versions of screenshot-desktop prior to 1.15.2 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited remotely by any unauthenticated attacker over the network, with low attack complexity and no requirement for user interaction or privileges. Successful exploitation allows the attacker to execute arbitrary commands on the target system at the privilege level of the process invoking the screenshot function, potentially leading to full system compromise including data theft, modification, or disruption.

The vulnerability is addressed in screenshot-desktop version 1.15.2. Security advisories recommend updating to this patched version immediately. Additional details are available in the GitHub security advisory (GHSA-gjx4-2c7g-fm94) and the fixing commit (59c87b0c175eec76090e6ccde313f4fc5d569b78).

EU & UK References

Vulnerability details

screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results…

more

in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection in exposed library function enables remote arbitrary command execution (T1059) via public-facing apps (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77
CVE-2026-34259Shared CWE-77
CVE-2026-44866Shared CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, prioritization, assessment, and remediation of flaws like the command injection vulnerability by updating screenshot-desktop to the patched version 1.15.2.

prevent

Mandates validation of user-controlled inputs to the format option before interpolation into shell commands, directly preventing command injection exploitation.

prevent

Enforces least privilege on the calling process, limiting the scope and impact of arbitrary command execution resulting from the vulnerability.

References