CVE-2025-57644
Published: 19 September 2025
Summary
CVE-2025-57644 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Accela Automation Platform. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Accela Automation Platform version 22.2.3.0.230103 contains multiple vulnerabilities in its Test Script feature. An authenticated administrative user can supply crafted input that triggers arbitrary Java code execution on the server, while separate flaws in input validation permit arbitrary file writes and server-side request forgery requests to internal or external systems. The issues map to CWE-20, CWE-22, CWE-94, and CWE-918 and carry a CVSS 3.1 score of 9.1.
An attacker who already possesses administrative credentials can chain these primitives to achieve remote code execution, write malicious files, and pivot through SSRF to reach otherwise inaccessible hosts. Successful exploitation results in full server compromise and exposure of sensitive data.
The EPSS score remains flat at 0.0136 with no material increase since disclosure. Public references consist of a technical write-up on Medium and the vendor site, but no patch or mitigation guidance is provided in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30333
Vulnerability details
Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and…
more
server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via arbitrary Java code execution in public-facing web app (Test Script) directly maps to T1190 exploitation; arbitrary code execution enables T1059 scripting/command interpreters. File writes/SSRF are secondary but support staging or proxy behaviors.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all inputs to the Test Script feature, directly preventing improper input validation that enables arbitrary Java code execution, file writes, and SSRF.
SI-2 requires identification, reporting, and remediation of flaws like those in CVE-2025-57644 through timely patching to prevent exploitation.
AC-6 enforces least privilege, restricting administrative access to the vulnerable Test Script feature and reducing the number of users who can exploit it.