CVE-2025-13284 | ThinPLUS developed by ThinPLUS has an OS Command Injection v… | CVSS 9.8 CRITICAL

Description

ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.

Metadata

CVE ID: CVE-2025-13284
State: PUBLISHED
Assigner: twcert
Reserved: 2025-11-17 02:58 UTC
Published: 2025-11-17 03:37 UTC
Last updated: 2025-11-27 02:48 UTC
Primary CWE: CWE-78
CWE-78 Improper Neutralization of Special Elements used in a…
Vendor / Product: ThinPLUS / ThinPLUS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
ThinPLUS	ThinPLUS	—	TPmCloud4.0

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)