Cyber Resilience

CVE-2025-6775

LowPublic PoC

Published: 27 June 2025

Published
27 June 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0260 85.9th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6775 is a low-severity Injection (CWE-74) vulnerability in Xiaoyunjie Openvpn-Cms-Flask. Its CVSS base score is 2.1 (Low).

Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical command injection vulnerability has been identified in xiaoyunjie openvpn-cms-flask versions up to 1.2.7. The flaw resides in the create_user function within the file /app/api/v1/openvpn.py at the User Creation Endpoint, where unsanitized input to the Username argument enables arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score reflecting network-accessible attack with low privileges required.

An attacker with low-privileged remote access can supply crafted usernames to inject and execute operating system commands through the affected endpoint. Successful exploitation grants limited control over confidentiality, integrity, and availability within the application context, and a working proof-of-concept has already been published.

The project maintainers have released version 1.2.8 containing commit e23559b98c8ea2957f09978c29f4e512ba789eb6 that resolves the injection flaw; upgrading the affected component is the recommended mitigation. Public references including the GitHub issue tracker and release notes confirm the availability of the patch.

EPSS remains flat at 0.0260 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It…

more

is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xiaoyunjie
openvpn-cms-flask
≤ 1.2.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References