Cyber Resilience

CVE-2025-62193

CriticalRCE

Published: 15 January 2026

Published
15 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0120 64.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-62193 is a critical-severity OS Command Injection (CWE-78) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62193 is a remote code execution vulnerability in sites running NOAA PMEL Live Access Server (LAS). The flaw arises from specially crafted requests that include PyFerret expressions, allowing exploitation via a SPAWN command to execute arbitrary OS commands. It is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was addressed in an update to the file 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' dated 2025-09-24.

A remote, unauthenticated attacker can exploit this vulnerability by sending malicious requests to a LAS instance accessible over the network. Exploitation requires low complexity and no privileges or user interaction, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability through arbitrary OS command execution on the server.

Mitigation requires updating LAS to the patched version, with fixes implemented in GitHub commits such as de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29 and e69afb1898ae7e69f3e047513fc1e5570373912b in the NOAA-PMEL/LAS repository. Additional details are available in the repository's README.md, version comparison from b4b7306 to de5f923, and the main branch tree.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version…

more

of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote code execution flaw in a public-facing web application (NOAA PMEL LAS) exploitable via crafted requests for arbitrary OS command execution without authentication or user interaction, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78
CVE-2026-25111Shared CWE-78

Affected Assets

Githubusercontent
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation at entry points to reject specially crafted PyFerret expressions containing SPAWN commands, directly preventing OS command injection.

prevent

Requires timely patching of the identified flaw in gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java to eliminate the vulnerability.

prevent

Restricts dangerous information inputs such as PyFerret SPAWN commands using defined tools and procedures to block exploitation attempts.

References