Cyber Resilience

CVE-2025-61304

CriticalPublic PoCRCE

Published: 05 November 2025

Published
05 November 2025
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0086 75.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61304 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dynatrace Activegate Ping Extension. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-61304 is an OS command injection vulnerability (CWE-78) in the Dynatrace ActiveGate ping extension for versions up to 1.016. The issue arises from processing a crafted IP address, enabling arbitrary command execution on the underlying operating system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network by supplying a malicious IP address to the ping extension. Successful exploitation allows injection and execution of arbitrary OS commands, resulting in high-impact compromise of confidentiality, integrity, and availability—potentially enabling full control over the affected ActiveGate host.

Mitigation details and additional technical information are available in the referenced advisory at https://github.com/pentastic-be/CVE-2025-61304. The CVE was published on 2025-11-05T16:15:40.770.

EU & UK References

Vulnerability details

OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated command injection in a network-accessible service enables T1190 (Exploit Public-Facing Application) and directly facilitates arbitrary OS command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60962Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2026-30880Shared CWE-78
CVE-2025-64124Shared CWE-78
CVE-2024-58274Shared CWE-78
CVE-2026-34188Shared CWE-78
CVE-2025-0680Shared CWE-78
CVE-2026-5965Shared CWE-78
CVE-2025-50194Shared CWE-78
CVE-2026-44590Shared CWE-78

Affected Assets

dynatrace
activegate ping extension
≤ 1.016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by implementing input validation mechanisms at the IP address input point to reject crafted malicious payloads.

prevent

Remediates the specific flaw in the Dynatrace ActiveGate ping extension up to version 1.016 by identifying, reporting, and correcting vulnerabilities in a timely manner.

prevent

Mitigates exposure by restricting or disabling the unnecessary ping extension functionality to enforce least functionality and reduce the attack surface.

References