CVE-2025-5952
Published: 10 June 2025
Summary
CVE-2025-5952 is a medium-severity Command Injection (CWE-77) vulnerability in Github (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A critical vulnerability has been identified in Zend.To versions up to 6.10-6 Beta, specifically in the exec function within the NSSDropoff.php file. The flaw stems from improper handling of the file_1 argument, resulting in operating system command injection as indicated by the associated CWE-77 and CWE-78 classifications. The issue can be triggered remotely without authentication and carries a CVSS 4.0 score of 5.5.
An attacker can supply a crafted file_1 parameter to execute arbitrary operating system commands on the affected server. Publicly disclosed exploit details indicate that successful attacks could lead to limited impacts on confidentiality, integrity, and availability of the target system.
Vendor guidance recommends upgrading to version 6.10-7 or later to resolve the command injection issue, with additional hardening measures introduced in 6.15-8. The affected software is described as an older release, and the vendor advises moving to the current version.
The exploit has been made public, yet the EPSS score has remained flat at 0.0143 with no observed increase following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17626
Vulnerability details
A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release. Additional countermeasures have been added in 6.15-8.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.