CVE-2025-8259
Published: 28 July 2025
Summary
CVE-2025-8259 is a medium-severity Command Injection (CWE-77) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2025-8259 affects Vaelsys VaelsysV4 versions up to 5.1.0 and 5.4.0. It resides in the execute_DataObjectProc function within the /grid/vgrid_server.php file of the web interface component, where improper handling of the xajaxargs argument permits OS command injection, corresponding to CWE-77 and CWE-78.
The flaw can be exploited remotely by unauthenticated attackers over the network to execute arbitrary operating system commands on the affected system. A publicly available exploit exists that demonstrates this capability, and the CVSS 4.0 score of 5.5 reflects the absence of required privileges or user interaction.
Vendor guidance and associated references recommend upgrading the affected component to version 5.1.1 or 5.4.1 to address the issue, with an official security advisory published by Vaelsys alongside a detailed technical report containing proof-of-concept details. The EPSS score has remained flat at 0.0601 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22854
Vulnerability details
A vulnerability was identified in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. Affected by this issue is the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Such manipulation of the argument xajaxargs leads to os command injection. The attack…
more
can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 5.1.1 and 5.4.1 can resolve this issue. It is suggested to upgrade the affected component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in public-facing PHP web application (/grid/vgrid_server.php) enables T1190 (exploit public-facing app), T1059.004 (Unix shell execution via injection), and T1202 (indirect command execution as noted in VulDB).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents OS command injection by requiring validation of untrusted inputs like the xajaxargs argument in execute_DataObjectProc.
SI-2 mandates timely flaw remediation, such as upgrading VaelsysV4 to versions 5.1.1 or 5.4.1 to fix this command injection vulnerability.
RA-5 requires vulnerability scanning to identify and remediate specific flaws like CVE-2025-8259 prior to remote exploitation.