Cyber Resilience

CVE-2025-9060

Critical

Published: 15 August 2025

Published
15 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0070 72.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9060 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9060 is a critical vulnerability in the MSoft MFlash application that enables execution of arbitrary code on the server. The flaw stems from insufficient validation of parameters (CWE-20: Improper Input Validation) within the integration configuration functionality, which is exclusively accessible to MFlash administrators. This issue affects MFlash version 8.0 and potentially other versions, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, privileged requirement, and cross-scope impact.

Exploitation requires an authenticated MFlash administrator (PR:H) to interact with the vulnerable integration configuration feature over the network. A successful attack allows the adversary to execute arbitrary code on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts across the affected scope.

The advisory recommends applying MFlash hotfix 8.2-653 dated 11.06.2025 or later to mitigate the vulnerability. Additional details are available in the advisory at https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md.

EU & UK References

Vulnerability details

A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient…

more

validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via improper input validation in network-accessible server application (admin feature).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20
CVE-2025-43347Shared CWE-20
CVE-2026-29143Shared CWE-20
CVE-2026-2880Shared CWE-20
CVE-2025-1514Shared CWE-20
CVE-2026-26063Shared CWE-20

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of CWE-20 improper input validation by requiring validation of parameters in the MFlash integration configuration functionality.

prevent

Mitigates the vulnerability by identifying, reporting, and applying the recommended MFlash hotfix to remediate the arbitrary code execution flaw.

prevent

Reduces exploitation likelihood by enforcing least privilege, limiting the number of MFlash administrators with access to the vulnerable integration configuration feature.

References