Cyber Resilience

CVE-2025-8259

MediumPublic PoC

Published: 28 July 2025

Published
28 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0601 90.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8259 is a medium-severity Command Injection (CWE-77) vulnerability in Vaelsys Vaelsys. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability identified as CVE-2025-8259 affects Vaelsys VaelsysV4 versions up to 5.1.0 and 5.4.0. It resides in the execute_DataObjectProc function within the /grid/vgrid_server.php file of the web interface component, where improper handling of the xajaxargs argument permits OS command injection, corresponding to CWE-77 and CWE-78.

The flaw can be exploited remotely by unauthenticated attackers over the network to execute arbitrary operating system commands on the affected system. A publicly available exploit exists that demonstrates this capability, and the CVSS 4.0 score of 5.5 reflects the absence of required privileges or user interaction.

Vendor guidance and associated references recommend upgrading the affected component to version 5.1.1 or 5.4.1 to address the issue, with an official security advisory published by Vaelsys alongside a detailed technical report containing proof-of-concept details. The EPSS score has remained flat at 0.0601 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A vulnerability was identified in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. Affected by this issue is the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Such manipulation of the argument xajaxargs leads to os command injection. The attack…

more

can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 5.1.1 and 5.4.1 can resolve this issue. It is suggested to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Unauthenticated remote OS command injection in public-facing PHP web application (/grid/vgrid_server.php) enables T1190 (exploit public-facing app), T1059.004 (Unix shell execution via injection), and T1202 (indirect command execution as noted in VulDB).

CVEs Like This One

CVE-2026-2952Same product: Vaelsys Vaelsys
CVE-2025-8261Same product: Vaelsys Vaelsys
CVE-2025-7414Shared CWE-77, CWE-78
CVE-2025-8828Shared CWE-77, CWE-78
CVE-2025-10327Shared CWE-77, CWE-78
CVE-2025-14586Shared CWE-77, CWE-78
CVE-2025-11138Shared CWE-77, CWE-78
CVE-2025-9026Shared CWE-77, CWE-78
CVE-2025-10326Shared CWE-77, CWE-78
CVE-2025-10328Shared CWE-77, CWE-78

Affected Assets

vaelsys
vaelsys
4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by requiring validation of untrusted inputs like the xajaxargs argument in execute_DataObjectProc.

prevent

SI-2 mandates timely flaw remediation, such as upgrading VaelsysV4 to versions 5.1.1 or 5.4.1 to fix this command injection vulnerability.

prevent

RA-5 requires vulnerability scanning to identify and remediate specific flaws like CVE-2025-8259 prior to remote exploitation.

References