CVE-2025-8752
Published: 09 August 2025
Summary
CVE-2025-8752 is a medium-severity Injection (CWE-74) vulnerability in Xuanshao Spring-Shiro-Training. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability has been identified in the wangzhixuan spring-shiro-training project up to commit 94812c1fd8f7fe796c931f4984ff1aa0671ab562. The issue resides in unknown code within the /role/add endpoint and stems from improper handling of input that permits command injection, as indicated by the associated CWE-74 and CWE-77 classifications. The product follows a continuous delivery model with rolling releases, so no specific affected or patched versions are enumerated.
The flaw can be exploited remotely by unauthenticated attackers who supply crafted input to the affected endpoint, resulting in execution of arbitrary commands with limited impacts on confidentiality, integrity, and availability. Publicly available exploit details indicate that successful attacks do not require user interaction or special preconditions beyond network reachability.
No mitigation guidance or patch information appears in the referenced advisories or issue trackers. The EPSS score remains flat at 0.0289 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24048
Vulnerability details
A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has…
more
been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection in public-facing web endpoint enables remote exploitation (T1190) and arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs to the /role/add endpoint, blocking the command injection vectors described in CVE-2025-8752.
Enforces least-privilege execution so that even a successful command injection at /role/add yields only minimal confidentiality/integrity/availability impact.
Restricts the system to the minimal set of OS functions and interpreters, reducing the attack surface available for injected commands via the vulnerable endpoint.