Cyber Resilience

CVE-2025-9588

CriticalRCEUpdated

Published: 23 September 2025

Published
23 September 2025
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0059 69.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9588 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ironmountain Envision. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9588 is an OS Command Injection vulnerability (CWE-78) in Iron Mountain Archiving Services Inc.'s EnVision product. It stems from improper neutralization of special elements used in an OS command, enabling command injection. The issue affects EnVision versions before 250563 and was published on 2025-09-23 with a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation allows arbitrary command execution on the underlying OS, resulting in high-impact confidentiality, integrity, and availability violations, including potential full system compromise due to the changed scope.

The Turkish National Cyber Incident Response Center (USOM) has issued an advisory at https://www.usom.gov.tr/bildirim/tr-25-0285 detailing the vulnerability.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection. This issue affects enVision: before 250563.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection (CWE-78) in a public-facing application directly enables remote unauthenticated arbitrary command execution (T1190) and use of command interpreters/shells on the host OS (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69269Same product: Linux Linux Kernel
CVE-2025-23316Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31612Same product: Linux Linux Kernel

Affected Assets

ironmountain
envision
≤ 250563

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly preventing OS command injection by neutralizing special elements used in OS commands.

prevent

SI-2 mandates timely flaw remediation, directly addressing this CVE by applying the vendor patch to EnVision version 250563 or later.

prevent

AC-6 enforces least privilege, limiting the impact of arbitrary OS command execution by restricting privileges of the affected EnVision process.

References