CVE-2025-69600

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-69600
Command injection in Raynet rvia RayVentory Scan Engine 12.6 Update 8 and previous versions allows adversaries to execute commands via getconfig, upload, inventory, and oracle options.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/Wise-Security/CVE-2025-69600
https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6
https://support.raynet.de/hc/en-us/articles/46163185339284-RSEC200966-Command-Injection-via-Unsafe-System-Calls-CVE-2025-69600
Configurations

No configuration.

History

01 Jun 2026, 17:16

Type Values Removed Values Added
References
  • () https://support.raynet.de/hc/en-us/articles/46163185339284-RSEC200966-Command-Injection-via-Unsafe-System-Calls-CVE-2025-69600 -
Summary (en) Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier's perspective is that this is caused by Argument Injection in the find command query in rvia 12.6.4392.49. This in an arbitrary code execution flaw caused by an incorrectly constructed find command. The application actively searches for a Java executable by using search criteria that is not properly terminated or sanitized. By constructing a crafted directory path that satisfies the malformed search criteria, an attacker can trick the application into executing arbitrary Java code. This differs from standard PATH manipulation because it stems from the application's internal search logic. Specifically, a local attacker can create a crafted directory structure and path that satisfies an improperly terminated find query used by the application to locate a Java runtime. (en) Command injection in Raynet rvia RayVentory Scan Engine 12.6 Update 8 and previous versions allows adversaries to execute commands via getconfig, upload, inventory, and oracle options.

28 May 2026, 16:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CWE CWE-77

27 May 2026, 18:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-05-27 18:16

Updated : 2026-06-01 18:12

NVD link : CVE-2025-69600

Mitre link : CVE-2025-69600

CVE.ORG link : CVE-2025-69600

JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')