Cyber Resilience

CVE-2025-63334

CriticalPublic PoCRCE

Published: 05 November 2025

Published
05 November 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 65.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63334 is a critical-severity OS Command Injection (CWE-78) vulnerability in Magdesign Pocketvj Control Panel Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63334, published on 2025-11-05, is an unauthenticated remote code execution vulnerability in PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1. The flaw exists in the submit_opacity.php component, where the application fails to sanitize the opacityValue POST parameter before passing it to a shell command, enabling OS command injection as described by CWE-78.

The vulnerability can be exploited by remote attackers with no privileges or user interaction required, accessible over the network with low attack complexity. Exploitation grants attackers the ability to execute arbitrary commands with root privileges on the underlying system, resulting in high confidentiality, integrity, and availability impacts, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advisories reference a GitHub Gist at https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f and the PocketVJ-CP-v3 release page at https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release for additional details, which security practitioners should review for mitigation guidance or patched versions.

EU & UK References

Vulnerability details

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to…

more

execute arbitrary commands with root privileges on the underlying system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE via command injection in public-facing PHP web app (T1190) enables arbitrary shell command execution on Unix-like system as root (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

magdesign
pocketvj control panel firmware
3.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires sanitizing and validating the unsanitized opacityValue POST parameter before passing it to shell commands, preventing OS command injection.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in submit_opacity.php via patching to eliminate the command injection vulnerability.

prevent

Limits the web application process to least privilege, preventing arbitrary commands injected via opacityValue from executing with root privileges.

References