Cyber Resilience

CVE-2025-8752

MediumPublic PoC

Published: 09 August 2025

Published
09 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0289 86.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8752 is a medium-severity Injection (CWE-74) vulnerability in Xuanshao Spring-Shiro-Training. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability has been identified in the wangzhixuan spring-shiro-training project up to commit 94812c1fd8f7fe796c931f4984ff1aa0671ab562. The issue resides in unknown code within the /role/add endpoint and stems from improper handling of input that permits command injection, as indicated by the associated CWE-74 and CWE-77 classifications. The product follows a continuous delivery model with rolling releases, so no specific affected or patched versions are enumerated.

The flaw can be exploited remotely by unauthenticated attackers who supply crafted input to the affected endpoint, resulting in execution of arbitrary commands with limited impacts on confidentiality, integrity, and availability. Publicly available exploit details indicate that successful attacks do not require user interaction or special preconditions beyond network reachability.

No mitigation guidance or patch information appears in the referenced advisories or issue trackers. The EPSS score remains flat at 0.0289 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has…

more

been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct command injection in public-facing web endpoint enables remote exploitation (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15131Shared CWE-74, CWE-77
CVE-2026-1687Shared CWE-74, CWE-77
CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77
CVE-2025-1947Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1946Shared CWE-74, CWE-77
CVE-2026-3943Shared CWE-74, CWE-77

Affected Assets

xuanshao
spring-shiro-training
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs to the /role/add endpoint, blocking the command injection vectors described in CVE-2025-8752.

prevent

Enforces least-privilege execution so that even a successful command injection at /role/add yields only minimal confidentiality/integrity/availability impact.

prevent

Restricts the system to the minimal set of OS functions and interpreters, reducing the attack surface available for injected commands via the vulnerable endpoint.

References