Cyber Posture

CVE-2025-69269

CriticalRCE

Published: 12 January 2026

Published
12 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69269 is a critical-severity OS Command Injection (CWE-78) vulnerability in Broadcom Dx Netops Spectrum. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly mitigates OS command injection (CWE-78) by requiring validation and neutralization of special elements in inputs before they are used in OS commands.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely remediation of known flaws, directly addressing CVE-2025-69269 through patching as specified in the Broadcom advisory.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

RA-5 ensures vulnerabilities like CVE-2025-69269 are identified via scanning and remediated based on risk, preventing exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS Command Injection in a network-accessible service enables exploitation of public-facing applications (T1190) to execute arbitrary OS commands via command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier.

Deeper analysisAI

CVE-2025-69269 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting Broadcom DX NetOps Spectrum versions 23.3.6 and earlier on both Windows and Linux platforms. Published on 2026-01-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as a critical issue due to its potential for severe impact.

The vulnerability enables exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction. Attackers can remotely inject and execute arbitrary operating system commands on the affected system, potentially leading to complete compromise with high impacts on confidentiality, integrity, and availability.

Mitigation guidance and patch information are detailed in the Broadcom security advisory available at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756.

Details

CWE(s)
CWE-78

Affected Products

broadcom
dx netops spectrum
≤ 23.3.7

CVEs Like This One

CVE-2025-69273Same product: Broadcom Dx Netops Spectrum
CVE-2025-69270Same product: Broadcom Dx Netops Spectrum
CVE-2025-69274Same product: Broadcom Dx Netops Spectrum
CVE-2025-23316Same product: Linux Linux Kernel
CVE-2025-69272Same product: Broadcom Dx Netops Spectrum
CVE-2025-69276Same product: Broadcom Dx Netops Spectrum
CVE-2025-69271Same product: Broadcom Dx Netops Spectrum
CVE-2025-9588Same product: Linux Linux Kernel
CVE-2024-41783Same product: Linux Linux Kernel
CVE-2024-41763Same product: Linux Linux Kernel

References