CVE-2025-10659 CRITICAL

CVE-2025-10659: MegaSys Enterprises Telenium Online Web Application OS Command Injection

Vendor Megasys

Product Telenium Online Web Application:

Weakness CWE-78

Published September 30, 2025

Last update September 30, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account.

Key dates

02Disclosure timeline

September 30, 2025 CVE published

September 30, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10659

Related vulnerabilities

CVE-2025-10659: MegaSys Enterprises Telenium Online Web Application OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE