CVE-2025-47959 - Vulnerability Details - OpenCVE

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Microsoft	Visual Studio 2022

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:visual_studio_2022::::::::
	cpe:2.3:a:microsoft:visual_studio_2022::::::::
	cpe:2.3:a:microsoft:visual_studio_2022::::::::
	cpe:2.3:a:microsoft:visual_studio_2022::::::::

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00059}`	epss `{'score': 0.00068}`

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00057}`	epss `{'score': 0.00059}`

Thu, 10 Jul 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft visual Studio 2022
CPEs		cpe:2.3:a:microsoft:visual_studio_2022::::::::
Vendors & Products		Microsoft Microsoft visual Studio 2022

Fri, 13 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 13 Jun 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description		Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.
Title		Visual Studio Remote Code Execution Vulnerability
Weaknesses		CWE-77
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2025-06-13T01:10:44.802Z

Updated: 2025-07-11T16:36:51.763Z

Reserved: 2025-05-14T14:13:13.464Z

Link: CVE-2025-47959

Vulnrichment

Updated: 2025-06-13T15:45:39.833Z

NVD

Status : Analyzed

Published: 2025-06-13T02:15:29.180

Modified: 2025-07-10T16:00:47.880

Link: CVE-2025-47959

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47959", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-05-14T14:13:13.464Z", "datePublished": "2025-06-13T01:10:44.802Z", "dateUpdated": "2025-07-11T16:36:51.763Z"}, "containers": {"cna": {"title": "Visual Studio Remote Code Execution Vulnerability", "datePublic": "2025-06-10T07:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.12.0", "versionEndExcluding": "17.12.9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.8.0", "versionEndExcluding": "17.8.22"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.10.0", "versionEndExcluding": "17.10.16"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.14.0", "versionEndExcluding": "17.14.5"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.12", "platforms": ["Unknown"], "versions": [{"version": "17.12.0", "lessThan": "17.12.9", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "platforms": ["Unknown"], "versions": [{"version": "17.8.0", "lessThan": "17.8.22", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.10", "platforms": ["Unknown"], "versions": [{"version": "17.10.0", "lessThan": "17.10.16", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.14", "platforms": ["Unknown"], "versions": [{"version": "17.14.0", "lessThan": "17.14.5", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-07-11T16:36:51.763Z"}, "references": [{"name": "Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T15:45:08.817121Z", "id": "CVE-2025-47959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T15:45:45.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-13T15:45:08.817121Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T15:45:39.833Z"}}], "cna": {"title": "Visual Studio Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.12", "versions": [{"status": "affected", "version": "17.12.0", "lessThan": "17.12.9", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.8", "versions": [{"status": "affected", "version": "17.8.0", "lessThan": "17.8.22", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.10", "versions": [{"status": "affected", "version": "17.10.0", "lessThan": "17.10.16", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.14", "versions": [{"status": "affected", "version": "17.14.0", "lessThan": "17.14.5", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2025-06-10T07:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959", "name": "Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.12.9", "versionStartIncluding": "17.12.0"}, {"criteria": "cpe:2.3:a:microsoft:visual_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.8.22", "versionStartIncluding": "17.8.0"}, {"criteria": "cpe:2.3:a:microsoft:visual_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.10.16", "versionStartIncluding": "17.10.0"}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.14.5", "versionStartIncluding": "17.14.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-06-20T01:04:43.827Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47959", "state": "PUBLISHED", "dateUpdated": "2025-06-20T01:04:43.827Z", "dateReserved": "2025-05-14T14:13:13.464Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-06-13T01:10:44.802Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8C2F8C1-F37A-4EE2-BBC3-53B0EDF070F7", "versionEndExcluding": "17.8.22", "versionStartIncluding": "17.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "6666F13E-6E1A-4FB3-9BB1-0BC0562BCAD9", "versionEndExcluding": "17.10.16", "versionStartIncluding": "17.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "E992833A-5B1E-4BE9-A722-C314F5AC94FB", "versionEndExcluding": "17.12.9", "versionStartIncluding": "17.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE1A759E-D531-40C8-BB96-362DEFE92F45", "versionEndExcluding": "17.14.5", "versionStartIncluding": "17.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network."}, {"lang": "es", "value": "La neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando ('inyecci\u00f3n de comando') en Visual Studio permite que un atacante autorizado ejecute c\u00f3digo a trav\u00e9s de una red."}], "id": "CVE-2025-47959", "lastModified": "2025-07-10T16:00:47.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2025-06-13T02:15:29.180", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Primary"}]}