CVE-2025-36727

high

Description

CVE-2025-36727 Inclusion of functionality from untrusted control sphere (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)It is possible to induce a client to run arbitrary code. CVE-2025-36728 Cross Site Request Forgery (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)The server accepts parameters that can be manipulated to trick a user into unwanted actions. Both of these issues used in conjunction with each other form an exploit chain that allows complete compromise of remote machines from an unauthenticated attacker. Due to recent threat actor activity around remote access software, we have decided to withhold full technical details for a period of time to allow for broad patching.

References

https://www.tenable.com/security/research/tra-2025-24

Details

Source: Mitre, NVD

Published: 2025-07-25

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.3

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H