CVE-2025-61304

CriticalPublic PoCRCE

Published: 05 November 2025

Published

05 November 2025

Modified

08 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0081 74.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61304 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dynatrace Activegate Ping Extension. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by implementing input validation mechanisms at the IP address input point to reject crafted malicious payloads.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the Dynatrace ActiveGate ping extension up to version 1.016 by identifying, reporting, and correcting vulnerabilities in a timely manner.

CM-7 Least Functionality partial match

prevent

Mitigates exposure by restricting or disabling the unnecessary ping extension functionality to enforce least functionality and reduce the attack surface.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated command injection in a network-accessible service enables T1190 (Exploit Public-Facing Application) and directly facilitates arbitrary OS command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.

Deeper analysisAI

CVE-2025-61304 is an OS command injection vulnerability (CWE-78) in the Dynatrace ActiveGate ping extension for versions up to 1.016. The issue arises from processing a crafted IP address, enabling arbitrary command execution on the underlying operating system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network by supplying a malicious IP address to the ping extension. Successful exploitation allows injection and execution of arbitrary OS commands, resulting in high-impact compromise of confidentiality, integrity, and availability—potentially enabling full control over the affected ActiveGate host.

Mitigation details and additional technical information are available in the referenced advisory at https://github.com/pentastic-be/CVE-2025-61304. The CVE was published on 2025-11-05T16:15:40.770.