CVE-2025-57516
Published: 29 September 2025
Summary
CVE-2025-57516 is a high-severity OS Command Injection (CWE-78) vulnerability in Publiccms Publiccms. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-57516 is an OS command injection vulnerability (CWE-78) affecting PublicCMS versions V5.202506.a and V5.202506.b. The flaw resides in the backupDB.bat file, where unsanitized DATABASE, USERNAME, or PASSWORD variables are passed directly to operating system commands, enabling arbitrary command execution. It carries a CVSS 3.1 score of 8.2 with network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can supply crafted values for the affected variables over the network to execute arbitrary operating system commands on the host running the vulnerable backup script. Successful exploitation yields high integrity impact and limited confidentiality impact while leaving availability unaffected.
The single reference points to a GitHub issue without accompanying advisory text or patch details in the supplied data. The associated EPSS score remains low, moving only from 0.0287 to a peak of 0.0342.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31576
Vulnerability details
OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing backupDB.bat endpoint enables remote unauthenticated arbitrary command execution via Windows Command Shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by implementing input validation mechanisms on DATABASE, USERNAME, and PASSWORD variables before they are used in backupDB.bat system commands.
Ensures timely identification, reporting, and correction of the specific OS command injection flaw in PublicCMS backupDB.bat.
Enforces restrictions on input types, lengths, and formats at system boundaries to block malicious payloads targeting the vulnerable backupDB.bat parameters.