{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9060", "assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "state": "PUBLISHED", "assignerShortName": "Kaspersky", "dateReserved": "2025-08-15T11:02:05.206Z", "datePublished": "2025-08-15T16:25:21.405Z", "dateUpdated": "2025-08-15T17:51:51.859Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "MFlash", "vendor": "MSoft", "versions": [{"status": "affected", "version": "8.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "The vulnerability was discovered by Marsel Shagiev and Evgeny Velikoivanenko from Kaspersky (https://kaspersky.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been found in the &nbsp;MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\n<p>This issue affects MFlash v. 8.0 and possibly others. To mitigate apply&nbsp;8.2-653 hotfix 11.06.2025 and above.</p>"}], "value": "A vulnerability has been found in the \u00a0MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\nThis issue affects MFlash v. 8.0 and possibly others. To mitigate apply\u00a08.2-653 hotfix 11.06.2025 and above."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "shortName": "Kaspersky", "dateUpdated": "2025-08-15T16:25:21.405Z"}, "references": [{"url": "https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md"}], "source": {"discovery": "UNKNOWN"}, "title": "MFlash Remote Code Execution (RCE) after authentication of a user with the \"administrator\" role", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T17:51:40.064538Z", "id": "CVE-2025-9060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T17:51:51.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-15T17:51:40.064538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T17:51:45.475Z"}}], "cna": {"title": "MFlash Remote Code Execution (RCE) after authentication of a user with the \"administrator\" role", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "The vulnerability was discovered by Marsel Shagiev and Evgeny Velikoivanenko from Kaspersky (https://kaspersky.com)"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MSoft", "product": "MFlash", "versions": [{"status": "affected", "version": "8.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been found in the \u00a0MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\nThis issue affects MFlash v. 8.0 and possibly others. To mitigate apply\u00a08.2-653 hotfix 11.06.2025 and above.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability has been found in the &nbsp;MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\n<p>This issue affects MFlash v. 8.0 and possibly others. To mitigate apply&nbsp;8.2-653 hotfix 11.06.2025 and above.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "shortName": "Kaspersky", "dateUpdated": "2025-08-15T16:25:21.405Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9060", "state": "PUBLISHED", "dateUpdated": "2025-08-15T17:51:51.859Z", "dateReserved": "2025-08-15T11:02:05.206Z", "assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "datePublished": "2025-08-15T16:25:21.405Z", "assignerShortName": "Kaspersky"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in the \u00a0MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\nThis issue affects MFlash v. 8.0 and possibly others. To mitigate apply\u00a08.2-653 hotfix 11.06.2025 and above."}], "id": "CVE-2025-9060", "lastModified": "2025-08-15T17:15:34.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "vulnerability@kaspersky.com", "type": "Secondary"}]}, "published": "2025-08-15T17:15:34.887", "references": [{"source": "vulnerability@kaspersky.com", "url": "https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md"}], "sourceIdentifier": "vulnerability@kaspersky.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "vulnerability@kaspersky.com", "type": "Secondary"}]}

{}