Vulnerable endpoints in the Simplicity Installer accept JSON data that contains a URL, allowing the payload to be interpreted and executed as a command. The commands that can run are limited to opening executables; parameters or arguments cannot be supplied. This flaw therefore permits an attacker to launch predefined executable actions from within the installer environment, potentially compromising system integrity if the attacker can choose arbitrary executables. The vulnerability is exploitable only when the attacker can reach the target through the network that hosts the installer service, which narrows the threat to local‑network adversaries.

The weakness affects Silicon Labs’ Simplicity Installer tool that ships with Simplicity Studio version 6 and earlier version 5. No specific software revisions are listed, so all builds that include the vulnerable installer component are potentially impacted.

The CVSS score of 2.1 indicates that the flaw is considered low severity. While no EPSS value is available and the vulnerability is not cataloged in the CISA KEV list, the exploit is straightforward: an attacker on the same network can send a crafted JSON request to the exposed endpoint, triggering execution of a limited set of commands. Because the attack requires local network proximity and offers no parameter control, the overall risk to remote adversaries is minimal, but local attackers could use the flaw to run executables that may aid further compromise within the network.