CVE-2025-6775
Published: 27 June 2025
Summary
CVE-2025-6775 is a low-severity Injection (CWE-74) vulnerability in Xiaoyunjie Openvpn-Cms-Flask. Its CVSS base score is 2.1 (Low).
Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical command injection vulnerability has been identified in xiaoyunjie openvpn-cms-flask versions up to 1.2.7. The flaw resides in the create_user function within the file /app/api/v1/openvpn.py at the User Creation Endpoint, where unsanitized input to the Username argument enables arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score reflecting network-accessible attack with low privileges required.
An attacker with low-privileged remote access can supply crafted usernames to inject and execute operating system commands through the affected endpoint. Successful exploitation grants limited control over confidentiality, integrity, and availability within the application context, and a working proof-of-concept has already been published.
The project maintainers have released version 1.2.8 containing commit e23559b98c8ea2957f09978c29f4e512ba789eb6 that resolves the injection flaw; upgrading the affected component is the recommended mitigation. Public references including the GitHub issue tracker and release notes confirm the availability of the patch.
EPSS remains flat at 0.0260 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19425
Vulnerability details
A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It…
more
is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.