Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CWE-78
Software Version: All MantaRay NM versions earlier than 25R1-NM
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-24817
CVSS:
Severity:
Credits: Andrea Carlo Maria Dattola, Cristina Coppola, Carlo Pannullo, Massimiliano Brolli
The application fails to properly validate input in the HTTP request payload, allowing command injection through specific parameters, leading to remote code execution.
Security Impact
Exploiting this remote code execution vulnerability allows an attacker to execute arbitrary commands on the system. This can lead to full system compromise, including obtaining a reverse shell, which grants persistent access to the underlying operating system. The attacker could further escalate privileges, exfiltrate sensitive data, or disrupt the application’s functionality.