Cyber Resilience

CVE-2025-67728

CriticalRCE

Published: 12 December 2025

Published
12 December 2025
Modified
22 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67728 is a critical-severity Command Injection (CWE-77) vulnerability in Shaneisrael Fireshare. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67728 is a critical command injection vulnerability (CWE-77) in Fireshare, a self-hosted media and link sharing application. It affects versions 1.2.30 and below, where a malicious filename provided during video file uploads is directly concatenated into a shell command without proper sanitization or validation. Published on 2025-12-12, the flaw enables path traversal or remote code execution (RCE) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an authenticated user or, if the Public Uploads setting is enabled, by an unauthenticated remote attacker over the network with low complexity and no user interaction required. By crafting a specially formatted filename in a video upload, attackers can write files to arbitrary directories via path traversal or inject commands for RCE, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

Fireshare version 1.3.0 addresses the issue with a fix detailed in the commit at https://github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72m. Security practitioners should upgrade to 1.3.0 and review Public Uploads configurations.

EU & UK References

Vulnerability details

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then…

more

concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability is a command injection (CWE-77) in a public-facing web application (Fireshare) exploitable remotely without authentication if public uploads are enabled, enabling RCE via shell command execution. This directly maps to T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34745Same product: Shaneisrael Fireshare
CVE-2026-33645Same product: Shaneisrael Fireshare
CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77

Affected Assets

shaneisrael
fireshare
≤ 1.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded filenames to block malicious payloads that enable command injection and path traversal.

prevent

Mandates timely flaw remediation by patching to Fireshare version 1.3.0, which fixes the command injection vulnerability.

prevent

Restricts filename inputs to permitted types and formats, preventing inclusion of shell metacharacters that lead to RCE.

References