Cyber Resilience

CVE-2025-57516

HighPublic PoCRCE

Published: 29 September 2025

Published
29 September 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0287 86.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57516 is a high-severity OS Command Injection (CWE-78) vulnerability in Publiccms Publiccms. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57516 is an OS command injection vulnerability (CWE-78) affecting PublicCMS versions V5.202506.a and V5.202506.b. The flaw resides in the backupDB.bat file, where unsanitized DATABASE, USERNAME, or PASSWORD variables are passed directly to operating system commands, enabling arbitrary command execution. It carries a CVSS 3.1 score of 8.2 with network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker can supply crafted values for the affected variables over the network to execute arbitrary operating system commands on the host running the vulnerable backup script. Successful exploitation yields high integrity impact and limited confidentiality impact while leaving availability unaffected.

The single reference points to a GitHub issue without accompanying advisory text or patch details in the supplied data. The associated EPSS score remains low, moving only from 0.0287 to a peak of 0.0342.

EU & UK References

Vulnerability details

OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

OS command injection in public-facing backupDB.bat endpoint enables remote unauthenticated arbitrary command execution via Windows Command Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1112Same product: Publiccms Publiccms
CVE-2025-25361Same product: Publiccms Publiccms
CVE-2025-69437Same product: Publiccms Publiccms
CVE-2026-3289Same product: Publiccms Publiccms
CVE-2026-1111Same product: Publiccms Publiccms
CVE-2026-28391Shared CWE-78
CVE-2026-30302Shared CWE-78
CVE-2025-11953Shared CWE-78
CVE-2023-53941Shared CWE-78
CVE-2020-37032Shared CWE-78

Affected Assets

publiccms
publiccms
5.202506.a, 5.202506.b

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by implementing input validation mechanisms on DATABASE, USERNAME, and PASSWORD variables before they are used in backupDB.bat system commands.

prevent

Ensures timely identification, reporting, and correction of the specific OS command injection flaw in PublicCMS backupDB.bat.

prevent

Enforces restrictions on input types, lengths, and formats at system boundaries to block malicious payloads targeting the vulnerable backupDB.bat parameters.

References