CVE-2025-63690
Published: 07 November 2025
Summary
CVE-2025-63690 is a critical-severity Unsafe Reflection (CWE-470) vulnerability in Pig4Cloud Pig. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unsafe reflection vulnerability in the Quartz scheduled task function by applying patches or workarounds from vendor advisories.
Restricts access to scheduled task configuration changes to authorized personnel only, preventing high-privilege users from exploiting the reflection-based RCE.
Validates inputs such as Java class names and String parameters in scheduled task setup to block malicious reflection invocations like ELProcessor eval.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution through abuse of the Quartz scheduled task management interface in the system management module, allowing invocation of arbitrary Java classes and methods via reflection (e.g., jakarta.el.ELProcessor.eval for command execution), directly facilitating exploitation of a public-facing application.
NVD Description
In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type…
more
String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.
Deeper analysisAI
CVE-2025-63690 is a remote code execution vulnerability (CWE-470: Unsafe Reflection) in pig-mesh Pig versions 3.8.2 and below. The flaw occurs in the Quartz management function within the system management module during scheduled task setup, allowing execution of any Java class with a parameterless constructor and methods accepting a String parameter via reflection. Attackers can leverage the eval method in Tomcat's built-in jakarta.el.ELProcessor class to execute arbitrary commands.
Exploitation is feasible by a network-accessible attacker with high privileges (PR:H), such as those permitting scheduled task configuration. The attack requires low complexity (AC:L), no user interaction (UI:N), and results in a scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.1.
Advisories and further details, including potential patches or workarounds, are documented in the referenced GitHub repositories: https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md and https://github.com/pig-mesh/pig/issues/1199.
Details
- CWE(s)