Cyber Resilience

CVE-2025-7916

CriticalRCE

Published: 21 July 2025

Published
21 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0466 89.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7916 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

WinMatrix3, a product developed by Simopro Technology, contains an insecure deserialization flaw tracked as CVE-2025-7916 and assigned CWE-502. The vulnerability resides in the application's handling of serialized data and carries a CVSS 4.0 score of 9.3, reflecting network-accessible attack vectors with no required authentication or user interaction.

Unauthenticated remote attackers can exploit the issue by submitting maliciously crafted serialized payloads to the server, resulting in arbitrary code execution with full control over the affected system. The attack requires no privileges and can be launched directly over the network.

Public advisories from the Taiwan Computer Emergency Response Team detail the flaw and are available at the referenced URLs. The current EPSS score of 0.0466 shows no material increase from its recorded peak.

EU & UK References

Vulnerability details

WinMatrix3 developed by Simopro Technology has an Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure deserialization in a network-accessible server product directly enables unauthenticated remote code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502
CVE-2026-40044Shared CWE-502

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates incoming serialized data at input points to block malicious deserialization payloads that lead to arbitrary code execution.

prevent

Remediates the specific insecure deserialization flaw through timely identification, reporting, and patching of the WinMatrix3 vulnerability.

prevent

Provides memory safeguards such as DEP and ASLR to mitigate arbitrary code execution resulting from successful deserialization exploits.

References