CVE-2025-9060
Published: 15 August 2025
Summary
CVE-2025-9060 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9060 is a critical vulnerability in the MSoft MFlash application that enables execution of arbitrary code on the server. The flaw stems from insufficient validation of parameters (CWE-20: Improper Input Validation) within the integration configuration functionality, which is exclusively accessible to MFlash administrators. This issue affects MFlash version 8.0 and potentially other versions, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, privileged requirement, and cross-scope impact.
Exploitation requires an authenticated MFlash administrator (PR:H) to interact with the vulnerable integration configuration feature over the network. A successful attack allows the adversary to execute arbitrary code on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts across the affected scope.
The advisory recommends applying MFlash hotfix 8.2-653 dated 11.06.2025 or later to mitigate the vulnerability. Additional details are available in the advisory at https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25038
Vulnerability details
A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient…
more
validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via improper input validation in network-accessible server application (admin feature).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of CWE-20 improper input validation by requiring validation of parameters in the MFlash integration configuration functionality.
Mitigates the vulnerability by identifying, reporting, and applying the recommended MFlash hotfix to remediate the arbitrary code execution flaw.
Reduces exploitation likelihood by enforcing least privilege, limiting the number of MFlash administrators with access to the vulnerable integration configuration feature.