MFlash Remote Code Execution (RCE) after authentication of a user...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

A vulnerability has been found in the MSoft MFlash

application that allows
execution of arbitrary code on the server. The issue occurs in the
integration configuration functionality that is only available to
MFlash

administrators. The vulnerability is related to insufficient validation
of parameters when setting up security components.

This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.

Basic Information

ID CVE-2025-9060

Source Kaspersky

Published Aug 15, 2025 at 16:25

Affected Product

Vendor MSoft

Product MFlash

Version 8.0

Affected Versions MSoft MFlash 8.0

CWE Classification

CWE-20

References

github.com /klsecservices/Advisories/blob/master/K-MSoft-2025-002.md

{
    "lastseen": "",
    "description": "A vulnerability has been found in the \u00a0MSoft MFlash\n\n application that allows \nexecution of arbitrary code on the server. The issue occurs in the \nintegration configuration functionality that is only available to \nMFlash\n\n\n administrators. The vulnerability is related to insufficient validation\n of parameters when setting up security components.\n\nThis issue affects MFlash v. 8.0 and possibly others. To mitigate apply\u00a08.2-653 hotfix 11.06.2025 and above.",
    "published": "2025-08-15T16:25:21.405Z",
    "modified": "2025-08-15T16:25:21.405Z",
    "type": "cve",
    "title": "MFlash Remote Code Execution (RCE) after authentication of a user with the \"administrator\" role",
    "source": "Kaspersky",
    "references": "https://github.com/klsecservices/Advisories/blob/master/K-MSoft-2025-002.md",
    "id": "CVE-2025-9060",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "MSoft MFlash 8.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MFlash",
    "version": "8.0",
    "vendor": "MSoft",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MFlash Remote Code Execution (RCE) after authentication of a user with the “administrator” role_CVE-2025-9060