Cyber Resilience

CVE-2025-57439

HighPublic PoCRCE

Published: 22 September 2025

Published
22 September 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57439 is a high-severity Code Injection (CWE-94) vulnerability in Creacast Creabox Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Lua (T1059.011); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-57439, published on 2025-09-22, is a critical Remote Code Execution vulnerability in Creacast Creabox Manager version 4.4.4. The flaw exists in the edit.php endpoint, where an authenticated attacker can inject arbitrary Lua code into the configuration, resulting in its execution on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

An authenticated attacker can exploit this vulnerability remotely over the network. Exploitation requires low attack complexity but user interaction, allowing the attacker to achieve full system compromise, including reverse shell execution or arbitrary command execution.

For mitigation details, refer to the vendor advisory at http://www.creacast.com/ and the research repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57439.

EU & UK References

Vulnerability details

Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. An authenticated attacker can inject arbitrary Lua code into the configuration, which is then executed on the server. This allows full system compromise, including…

more

reverse shell execution or arbitrary command execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables authenticated remote code execution via injection of arbitrary Lua code into the configuration file, which is executed on the server, directly facilitating Lua-based command and scripting interpreter execution (T1059.011) and exploitation of remote services (T1210).

CVEs Like This One

CVE-2024-49747Shared CWE-94
CVE-2024-43770Shared CWE-94
CVE-2024-43771Shared CWE-94
CVE-2026-21537Shared CWE-94
CVE-2025-42880Shared CWE-94
CVE-2026-41246Shared CWE-94
CVE-2025-65294Shared CWE-94
CVE-2024-42911Shared CWE-94
CVE-2025-2787Shared CWE-94
CVE-2025-48984Shared CWE-94

Affected Assets

creacast
creabox manager
4.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs to the edit.php endpoint to prevent injection of arbitrary Lua code into configuration files.

prevent

Remediates the specific code injection flaw in Creacast Creabox Manager 4.4.4 through timely patching per vendor advisory.

prevent

Restricts access to configuration change endpoints like edit.php to authorized personnel only, blocking authenticated attackers from injecting code.

References