Cyber Resilience

CVE-2025-60889

CriticalPublic PoCRCE

Published: 28 April 2026

Published
28 April 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 42.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-60889 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Stellar-Group Hpx. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-60889 is an insecure deserialization vulnerability (CWE-502) in StellarGroup HPX version 1.11.0. The issue arises under certain conditions during deserialization of untrusted input, which may enable attackers to execute arbitrary code or cause other unspecified impacts. Published on 2026-04-28, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high potential for remote exploitation with severe effects on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation could allow arbitrary code execution on affected systems running HPX 1.11.0, potentially leading to full system compromise or the unspecified impacts noted in the description.

Mitigation guidance and additional details are available in advisories from http://hpx.com, http://stellargroup.com, and https://gist.github.com/TrebledJ/b32fd5c469583493ab50244045c9a6e4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure deserialization (CWE-502) in a network-exposed service directly enables unauthenticated remote code execution, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502

Affected Assets

stellar-group
hpx
≤ 1.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like CVE-2025-60889, directly eliminating the insecure deserialization vulnerability through patching.

prevent

SI-10 mandates validation of untrusted inputs prior to deserialization, preventing attackers from supplying malicious serialized data that leads to arbitrary code execution.

prevent

SI-16 enforces memory protections such as DEP and ASLR to block unauthorized code execution resulting from successful deserialization exploits in HPX.

References