Cyber Resilience

CVE-2025-57644

CriticalRCE

Published: 19 September 2025

Published
19 September 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0136 80.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57644 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Accela Automation Platform. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Accela Automation Platform version 22.2.3.0.230103 contains multiple vulnerabilities in its Test Script feature. An authenticated administrative user can supply crafted input that triggers arbitrary Java code execution on the server, while separate flaws in input validation permit arbitrary file writes and server-side request forgery requests to internal or external systems. The issues map to CWE-20, CWE-22, CWE-94, and CWE-918 and carry a CVSS 3.1 score of 9.1.

An attacker who already possesses administrative credentials can chain these primitives to achieve remote code execution, write malicious files, and pivot through SSRF to reach otherwise inaccessible hosts. Successful exploitation results in full server compromise and exposure of sensitive data.

The EPSS score remains flat at 0.0136 with no material increase since disclosure. Public references consist of a technical write-up on Medium and the vendor site, but no patch or mitigation guidance is provided in the available information.

EU & UK References

Vulnerability details

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and…

more

server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

RCE via arbitrary Java code execution in public-facing web app (Test Script) directly maps to T1190 exploitation; arbitrary code execution enables T1059 scripting/command interpreters. File writes/SSRF are secondary but support staging or proxy behaviors.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37777Shared CWE-20, CWE-94
CVE-2025-8356Shared CWE-22, CWE-94
CVE-2026-42588Shared CWE-20, CWE-94
CVE-2024-54756Shared CWE-94
CVE-2025-12062Shared CWE-22
CVE-2024-21760Shared CWE-94
CVE-2026-41258Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2025-26936Shared CWE-94
CVE-2026-34910Shared CWE-20

Affected Assets

accela
automation platform
22.2.3.0.230103

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of all inputs to the Test Script feature, directly preventing improper input validation that enables arbitrary Java code execution, file writes, and SSRF.

prevent

SI-2 requires identification, reporting, and remediation of flaws like those in CVE-2025-57644 through timely patching to prevent exploitation.

prevent

AC-6 enforces least privilege, restricting administrative access to the vulnerable Test Script feature and reducing the number of users who can exploit it.

References