Cyber Posture

CVE-2025-9588

CriticalRCE

Published: 23 September 2025

Published
23 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0034 56.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9588 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ironmountain Envision. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs, directly preventing OS command injection by neutralizing special elements used in OS commands.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, directly addressing this CVE by applying the vendor patch to EnVision version 250563 or later.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege, limiting the impact of arbitrary OS command execution by restricting privileges of the affected EnVision process.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

OS command injection (CWE-78) in a public-facing application directly enables remote unauthenticated arbitrary command execution (T1190) and use of command interpreters/shells on the host OS (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563.

Deeper analysisAI

CVE-2025-9588 is an OS Command Injection vulnerability (CWE-78) in Iron Mountain Archiving Services Inc.'s EnVision product. It stems from improper neutralization of special elements used in an OS command, enabling command injection. The issue affects EnVision versions before 250563 and was published on 2025-09-23 with a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation allows arbitrary command execution on the underlying OS, resulting in high-impact confidentiality, integrity, and availability violations, including potential full system compromise due to the changed scope.

The Turkish National Cyber Incident Response Center (USOM) has issued an advisory at https://www.usom.gov.tr/bildirim/tr-25-0285 detailing the vulnerability.

Details

CWE(s)
CWE-78

Affected Products

ironmountain
envision
≤ 250563

CVEs Like This One

CVE-2025-23316Same product: Linux Linux Kernel
CVE-2025-69269Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-31612Same product: Linux Linux Kernel

References