CVE-2025-57633
Published: 09 September 2025
Summary
CVE-2025-57633 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-57633 is a command injection vulnerability (CWE-77) in FTP-Flask-python through commit 5173b68. The issue affects the /ftp.html endpoint's "Upload File" action, which constructs a shell command using the unsanitized ftp_file parameter and executes it via os.system() without proper escaping or validation, enabling arbitrary OS command execution.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation grants attackers the ability to execute arbitrary operating system commands on the host, potentially resulting in high confidentiality, integrity, and availability impacts, such as full server compromise.
References include a GitHub Gist at https://gist.github.com/Spendroslav/1c0c6a6556992291b19c3178e3cb5885, likely containing disclosure details or proof-of-concept, and the vulnerable ftp_app.py source code at https://github.com/ajaypp123/FTP-Flask-python/blob/5173b6828244ff9729fa29cc144d74ccbea30a73/ftp_app.py. No vendor advisories or patches are specified in the available information; practitioners should avoid deploying versions up to 5173b68 and review the codebase for remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27500
Vulnerability details
A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file parameter and executes it using os.system() without sanitization or escaping.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing web endpoint (/ftp.html) via unsanitized input to os.system() directly enables remote exploitation of the app (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the unsanitized ftp_file parameter before constructing and executing shell commands via os.system to prevent command injection.
Mandates identification, reporting, and correction of the command injection flaw in FTP-Flask-python, including patching or replacing vulnerable os.system usage.
Enforces restrictions such as whitelisting or length limits on the ftp_file input at the application level to block malicious command injection payloads.