← back
CVE-2025-9060

MFlash Remote Code Execution (RCE) after authentication of a user with the "administrator" role

CVSS 9.1 CRITICALEPSS 0.5%CWE-20
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.1EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
15 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A vulnerability has been found in the  MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
MSoft · MFlash