Cyber Resilience

CVE-2025-7145

HighRCE

Published: 07 July 2025

Published
07 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0166 82.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7145 is a high-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

ThreatSonar Anti-Ransomware developed by TeamT5 contains an OS command injection vulnerability tracked as CVE-2025-7145 and assigned CWE-78. The flaw permits injection of arbitrary operating system commands through the product platform and carries a CVSS 4.0 score of 8.6 reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Remote attackers who already possess intermediate privileges on the product platform can exploit the issue to execute commands on the underlying server and thereby obtain administrative access to the remote host. The EPSS score remains low and unchanged at 0.0166 with no material increase after disclosure.

Taiwan's CERT has published advisories describing the vulnerability at the referenced URLs. No information on patches, workarounds, or confirmed exploitation in the wild is provided in the available data.

EU & UK References

Vulnerability details

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References