CVE-2025-57644

EPSS 0.9%
Veröffentlicht 19.09.2025 00:00:00
Zuletzt bearbeitet 17.10.2025 14:21:55
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 4 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Accela ≫ Automation Platform Version22.2.3.0.230103

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.9%	0.749

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.accela.com

Product

https://medium.com/@anvarkh/cve-2025-57644-remote-code-execution-ssrf-in-accela-eedc6bc4adfb

Third Party Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-57644

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-57644

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-57644

EUVD