Cyber Posture

CVE-2025-59954

CriticalPublic PoCRCE

Published: 30 September 2025

Published
30 September 2025
Modified
08 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59954 is a critical-severity Code Injection (CWE-94) vulnerability in Eng Knowage. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely flaw remediation through patching, as recommended for this RCE vulnerability fixed in Knowage 8.1.27.

SI-10 Information Input Validation good match
prevent

Requires input validation to prevent code injection attacks exploiting unsafe JXPathContext usage in MetaService.java (CWE-94).

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables vulnerability scanning to identify and prioritize this specific RCE flaw in Knowage versions 8.1.26 and below.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct unauthenticated RCE in a public-facing web application (CWE-94) enables initial access via exploitation of the exposed service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext in MetaService.java service. This issue is fixed in version 8.1.27.

Deeper analysisAI

CVE-2025-59954 is a remote code execution vulnerability in Knowage, an open source analytics and business intelligence suite. Versions 8.1.26 and below are affected due to unsafe usage of org.apache.commons.jxpath.JXPathContext in the MetaService.java service. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and without requiring user interaction. Successful exploitation enables remote code execution, resulting in high impacts to confidentiality, integrity, and availability.

The vulnerability is fixed in Knowage version 8.1.27. Mitigation involves upgrading to this patched version. Further details are provided in the GitHub security advisory GHSA-96cv-75hg-xrgq and the fixing commit at https://github.com/KnowageLabs/Knowage-Server/commit/1bb60d42557724f7ed24c19df6c5017e169527ca.

Details

CWE(s)
CWE-94

Affected Products

eng
knowage
≤ 8.1.27

CVEs Like This One

CVE-2025-23209Shared CWE-94
CVE-2026-39440Shared CWE-94
CVE-2026-3300Shared CWE-94
CVE-2025-6389Shared CWE-94
CVE-2025-8723Shared CWE-94
CVE-2025-34277Shared CWE-94
CVE-2025-57141Shared CWE-94
CVE-2024-48818Shared CWE-94
CVE-2025-10679Shared CWE-94
CVE-2025-9321Shared CWE-94

References