Cyber Posture

CVE-2025-63421

High

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63421 is a high-severity Code Injection (CWE-94) vulnerability in Neocities (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through vendor patching directly eliminates the code injection vulnerability in comeinst.exe, preventing arbitrary code execution by local low-privilege attackers.

SI-10 Information Input Validation good match
prevent

Information input validation in the affected application prevents code injection (CWE-94) via inputs processed by comeinst.exe.

SI-16 Memory Protection good match
prevent

Memory protection safeguards such as DEP and ASLR prevent unauthorized code execution resulting from exploitation of the code injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local code injection (CWE-94) in comeinst.exe enables arbitrary code execution from low privileges, directly facilitating exploitation for privilege escalation with high CIA impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in filosoft Comerc.32 Commercial Invoicing v.16.0.0.3 allows a local attacker to execute arbitrary code via the comeinst.exe file

Deeper analysisAI

CVE-2025-63421 is a code injection vulnerability (CWE-94) in filosoft Comerc.32 Commercial Invoicing version 16.0.0.3. The issue allows a local attacker to execute arbitrary code via the comeinst.exe file. Published on 2026-02-12, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.

A local attacker with low privileges can exploit the vulnerability with low attack complexity and no user interaction. Exploitation through comeinst.exe enables arbitrary code execution, granting high-impact access to confidentiality, integrity, and availability of the affected system.

Mitigation details can be found in advisories referenced at https://ghostline.neocities.org/CVE-2025-63421/ and the vendor site https://www.filosoft.pt. No specific patch or workaround information is provided in the CVE description.

Details

CWE(s)
CWE-94

Affected Products

Neocities
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-25943Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2025-64691Shared CWE-94
CVE-2025-24159Shared CWE-94
CVE-2025-33240Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2026-31857Shared CWE-94
CVE-2025-48984Shared CWE-94

References