CVE-2025-9060 CRITICAL

CVE-2025-9060: MFlash Remote Code Execution (RCE) after authentication of a user with the "administrator" role

Vendor Msoft
Product MFlash
Weakness CWE-20 · Input validation
Published August 15, 2025
Last update August 15, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability has been found in the  MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above.

Key dates

02Disclosure timeline

August 15, 2025 CVE published
August 15, 2025 Record updated