Cyber Resilience

CVE-2025-57633

CriticalRCE

Published: 09 September 2025

Published
09 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57633 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57633 is a command injection vulnerability (CWE-77) in FTP-Flask-python through commit 5173b68. The issue affects the /ftp.html endpoint's "Upload File" action, which constructs a shell command using the unsanitized ftp_file parameter and executes it via os.system() without proper escaping or validation, enabling arbitrary OS command execution.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation grants attackers the ability to execute arbitrary operating system commands on the host, potentially resulting in high confidentiality, integrity, and availability impacts, such as full server compromise.

References include a GitHub Gist at https://gist.github.com/Spendroslav/1c0c6a6556992291b19c3178e3cb5885, likely containing disclosure details or proof-of-concept, and the vulnerable ftp_app.py source code at https://github.com/ajaypp123/FTP-Flask-python/blob/5173b6828244ff9729fa29cc144d74ccbea30a73/ftp_app.py. No vendor advisories or patches are specified in the available information; practitioners should avoid deploying versions up to 5173b68 and review the codebase for remediation.

EU & UK References

Vulnerability details

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file parameter and executes it using os.system() without sanitization or escaping.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing web endpoint (/ftp.html) via unsanitized input to os.system() directly enables remote exploitation of the app (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77
CVE-2024-57583Shared CWE-77
CVE-2026-46368Shared CWE-77
CVE-2024-39781Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-3518Shared CWE-77
CVE-2024-57590Shared CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the unsanitized ftp_file parameter before constructing and executing shell commands via os.system to prevent command injection.

prevent

Mandates identification, reporting, and correction of the command injection flaw in FTP-Flask-python, including patching or replacing vulnerable os.system usage.

prevent

Enforces restrictions such as whitelisting or length limits on the ftp_file input at the application level to block malicious command injection payloads.

References