CVE-2025-8752

HighPublic PoC

Published: 09 August 2025

Published

09 August 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0057 68.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8752 is a high-severity Injection (CWE-74) vulnerability in Xuanshao Spring-Shiro-Training. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Direct command injection in public-facing web endpoint enables remote exploitation (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has…

been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Deeper analysisAI

CVE-2025-8752 is a command injection vulnerability (CWE-74, CWE-77) found in the wangzhixuan spring-shiro-training project up to commit 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It affects unknown code in the /role/add file and has been rated critical with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability enables remote attackers to inject commands through manipulation of inputs to this endpoint.

Unauthenticated remote attackers with network access can exploit the issue by targeting the /role/add functionality, achieving low impacts on confidentiality, integrity, and availability through arbitrary command execution on the affected system.

The project employs continuous delivery with rolling releases, so no specific details on affected or updated versions are available. Mitigation guidance is referenced in Gitee issues at https://gitee.com/wangzhixuan/spring-shiro-training/issues/ICP2ME and VulDB entries including https://vuldb.com/?ctiid.319246, https://vuldb.com/?id.319246, and https://vuldb.com/?submit.623679.

The exploit has been publicly disclosed and may be used in attacks.

Details

CWE(s): CWE-74 CWE-77

Affected Products

xuanshao

spring-shiro-training

all versions

CVEs Like This One

CVE-2026-1066Shared CWE-74, CWE-77

CVE-2025-15133Shared CWE-74, CWE-77

CVE-2025-0328Shared CWE-74, CWE-77

CVE-2025-15132Shared CWE-74, CWE-77

CVE-2025-10962Shared CWE-74, CWE-77

CVE-2026-7058Shared CWE-74, CWE-77

CVE-2025-1947Shared CWE-74, CWE-77

CVE-2026-2956Shared CWE-74, CWE-77

CVE-2025-15131Shared CWE-74, CWE-77

CVE-2026-3943Shared CWE-74, CWE-77

References

https://gitee.com/wangzhixuan/spring-shiro-training/issues/ICP2ME
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.319246
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.319246
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.623679
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com
https://gitee.com/wangzhixuan/spring-shiro-training/issues/ICP2ME
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0