CVE-2025-12140
EUVD-2025-199823
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)
Published: Nov 27, 2025 / Updated: 3mo ago

010

CVSS 9.3EPSS 0.1%Critical

CVE info copied to clipboard

Summary

An insecure 'redirectToUrl' mechanism allows unauthenticated attackers to execute arbitrary code by manipulating the 'redirectUrlParameter' parameter. The vulnerability occurs when the application incorrectly processes the parameter, interpreting the input string as a Java expression.

Impact

This critical vulnerability enables remote code execution without requiring authentication. An attacker can potentially: - Execute arbitrary Java code on the vulnerable system - Completely compromise the application's integrity - Gain unauthorized access to system resources - Potentially take full control of the affected application

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Available in version wu#2016.1.5513#0#20251014_113353

Mitigation

Immediate recommended actions: - Upgrade to the patched version wu#2016.1.5513#0#20251014_113353 - Implement strict input validation for 'redirectUrlParameter' - Disable dynamic code execution capabilities - Apply network-level restrictions - Monitor for suspicious code execution attempts

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2025-12140

Nov 27, 2025 at 2:15 PM

CVSS

A CVSS base score of 9.3 has been assigned.

Nov 27, 2025 at 2:20 PM / nvd

First Article

Feedly found the first article mentioning CVE-2025-12140. See article

Nov 27, 2025 at 2:21 PM / Latest High/Critical Vulnerabilitiy Feed

CVSS Estimate

Feedly estimated the CVSS as HIGH based on the CVE details, attack complexity, and exploit information. Learn more

Nov 27, 2025 at 2:21 PM

Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2025-12140).

Nov 28, 2025 at 3:00 PM

EPSS

FIRST assigned an EPSS Score of 0.1% (Percentile: 28.8%)

Dec 3, 2025 at 11:01 PM

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files

+MMM more

Vendor Advisory

CVE-2025-12140

Red Hat CVE Database / 3mo

CVE Id: CVE-2025-12140 Release Date: 2025-11-28 Update Date: 2025-11-28 Description The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353 Statement Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. This assessment may evolve based on further analysis and discovery. For more information about this vulnerability and the products it affects, please see the linked references. Affected Packages and Issued Red Hat Security Errata

News

CVE-2025-12140

Vulners.com RSS Feed / 3mo

The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu2016.1.5513020251014113353...

CVE-2025-12140

Red Hat CVE Database / 3mo

New ASUS firmware patches critical AiCloud vulnerability - Live Threat Intelligence - Threat Radar

OffSeq Threat Radar / 3mo

The reported security threat concerns a critical vulnerability in ASUS AiCloud firmware, a feature integrated into ASUS routers and network devices that enables cloud-based file sharing and remote access. While specific technical details such as CVE identifiers or vulnerability types (e.g., buffer overflow, authentication bypass) are not provided, the critical severity rating suggests the flaw could allow remote attackers to execute arbitrary code, gain unauthorized access, or disrupt device operations.

Critical: Simple SA Wirtualna Uczelnia hit by CVE-2025-12140 (RCE via Java eval injection). No auth needed. Upgrade to wu#2016.1.5513#0#20251014_113353 now! 🚨 https://radar.offseq.com/threat/cve-2025-12140-cwe-95-improper-neutralization-of-d-9f4885f6 #OffSeq #RCE #Security

Posts from the null Feed / 3mo

#vulnerability / 3mo

⚠️ CRITICAL CVE-2025-12140: Simple SA Wirtualna Uczelnia is vulnerable to unauth RCE via eval injection in 'redirectToUrl'. Patch to wu#2016.1.5513#0#20251014_113353 now! Full system compromise risk. https:// radar.offseq.com/threat/cve-20 25-12140-cwe-95-improper-neutralization-of-d-9f4885f6 # OffSeq # RCE # Vulnerability # Java

See 18 more articles and social media posts