CVE-2025-63334
Published: 05 November 2025
Summary
CVE-2025-63334 is a critical-severity OS Command Injection (CWE-78) vulnerability in Magdesign Pocketvj Control Panel Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63334, published on 2025-11-05, is an unauthenticated remote code execution vulnerability in PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1. The flaw exists in the submit_opacity.php component, where the application fails to sanitize the opacityValue POST parameter before passing it to a shell command, enabling OS command injection as described by CWE-78.
The vulnerability can be exploited by remote attackers with no privileges or user interaction required, accessible over the network with low attack complexity. Exploitation grants attackers the ability to execute arbitrary commands with root privileges on the underlying system, resulting in high confidentiality, integrity, and availability impacts, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Advisories reference a GitHub Gist at https://gist.github.com/mamdouhalrekabi-ops/e7686a0bdd197c77c1b54191e1a2880f and the PocketVJ-CP-v3 release page at https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release for additional details, which security practitioners should review for mitigation guidance or patched versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37920
Vulnerability details
PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to…
more
execute arbitrary commands with root privileges on the underlying system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via command injection in public-facing PHP web app (T1190) enables arbitrary shell command execution on Unix-like system as root (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires sanitizing and validating the unsanitized opacityValue POST parameter before passing it to shell commands, preventing OS command injection.
Mandates timely identification, reporting, and correction of the specific flaw in submit_opacity.php via patching to eliminate the command injection vulnerability.
Limits the web application process to least privilege, preventing arbitrary commands injected via opacityValue from executing with root privileges.