Cyber Resilience

CVE-2025-58180

High

Published: 09 September 2025

Published
09 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0222 84.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58180 is a high-severity OS Command Injection (CWE-78) vulnerability in Octoprint Octoprint. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

OctoPrint is a web interface for controlling consumer 3D printers, and versions up to and including 1.11.2 contain a command injection vulnerability tracked as CVE-2025-58180 and CWE-78. An authenticated attacker can upload a file whose specially crafted filename is later interpolated into a system command defined inside a configured event handler; when the associated event fires, the filename causes arbitrary command execution on the host. The flaw has no impact unless administrators have explicitly created event handlers that pass uploaded filenames as parameters to shell commands.

An attacker with a valid OctoPrint account can therefore achieve remote code execution on the printer host by uploading the malicious file and then triggering the relevant event. The CVSS 4.0 score of 7.5 reflects the need for an existing event-handler configuration and local network adjacency, yet still grants high impact on confidentiality, integrity, and availability once the condition is met.

The official advisory and release notes for version 1.11.3 recommend upgrading immediately. As interim controls, administrators should either disable any filename-using event handlers or set feature.enforceReallyUniversalFilenames to true in config.yaml, followed by a restart and manual review of existing uploads to remove suspicious files. The project also reiterates that instances should never be exposed to untrusted networks and that access should be restricted to trusted users.

EPSS remains flat at 0.0222 with no material increase after disclosure.

EU & UK References

Vulnerability details

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution…

more

if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact. The vulnerability is patched in version 1.11.3. As a workaround, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders should disable those by setting their `enabled` property to `False` or unchecking the "Enabled" checkbox in the GUI based Event Manager. Alternatively, OctoPrint administrators should set `feature.enforceReallyUniversalFilenames` to `true` in `config.yaml` and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files. As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in web app enables T1190 for RCE on public-facing OctoPrint instance and T1059.004 for arbitrary Unix shell execution via crafted filename in event handlers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

octoprint
octoprint
≤ 1.11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely patching of OctoPrint to version 1.11.3, which fixes the command injection vulnerability in filename handling.

prevent

Prevents exploitation by validating uploaded filenames to reject specially crafted names that could inject commands when used in event handler system calls.

prevent

Mitigates the vulnerability by restricting or prohibiting event handlers that execute system commands incorporating uploaded filenames, enforcing least functionality.

References