CVE-2025-8259 - Vulnerability Details

- Vaelsys VaelsysV4 Web interface vgrid_server.php execute_DataObjectProc os command injection

Description

A vulnerability was identified in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. Affected by this issue is the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Such manipulation of the argument xajaxargs leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 5.1.1 and 5.4.1 can resolve this issue. It is suggested to upgrade the affected component.

Published: 2025-07-28

Score: 6.9 Medium

EPSS: 1.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is an OS command‑level injection triggered by unsanitized input to the xajaxargs parameter in the execute_DataObjectProc function of the Vaelsys V4 Web interface. This allows an attacker to inject arbitrary operating‑system commands, leading to full remote code execution and compromising confidentiality, integrity, and availability of the affected system. The weakness is formally identified as CWE‑77 and CWE‑78.

Affected Systems

Vaelsys V4 web platform, versions up to 5.1.0 and 5.4.0 are vulnerable. The affected component is the vgrid_server.php file in the /grid directory of the web interface.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score of 1% shows a moderate probability of exploitation; the exploit code is publicly available, so the risk is heightened. It is not included in CISA’s KEV catalog. The likely attack vector is remote over the network: an attacker can send a request to the vulnerable endpoint from outside the trusted network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Vaelsys

VaelsysV4

affected

Version	Status	Constraints
`5.0`	affected	—
`5.1`	affected	—
`5.1.0`	affected	—
`5.2`	affected	—
`5.3`	affected	—
`5.4.0`	affected	—
`5.1.1`	unaffected	—
`5.4.1`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:vaelsys:vaelsys:4.1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Vaelsys	Vaelsys	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Vaelsys V4 component to version 5.1.1 or 5.4.1 as released by Vaelsys.
Apply network segmentation or firewall rules to limit external access to the Vaelsys web interface until a patch can be applied.
Monitor web server logs for anomalous xajaxargs values and raise alerts for suspicious command injection attempts.

Generated by OpenCVE AI on April 20, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-22854	A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01089.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/waiwai24/0101/blob/main/CVEs/Vaelsys/Remote_Code_Execution_in_Vaelsys_V4_Platform.md
https://vaelsys.github.io/security-advisory/advisories/VSEC_V4_2025_07_0001.html
https://vuldb.com/submit/616920
https://vuldb.com/vuln/317847
https://vuldb.com/vuln/317847/cti

History

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
References	https://vuldb.com/?ctiid.317847 https://vuldb.com/?id.317847 https://vuldb.com/?submit.616920

Wed, 15 Apr 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	A vulnerability was identified in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. Affected by this issue is the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Such manipulation of the argument xajaxargs leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 5.1.1 and 5.4.1 can resolve this issue. It is suggested to upgrade the affected component.
Title	Vaelsys vgrid_server.php execute_DataObjectProc os command injection	Vaelsys VaelsysV4 Web interface vgrid_server.php execute_DataObjectProc os command injection
References		https://vaelsys.github.io/security-advisory/advisories/VSEC_V4_2025_07_0001.html https://vuldb.com/submit/616920 https://vuldb.com/vuln/317847 https://vuldb.com/vuln/317847/cti
Metrics	cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}`	cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}`

Thu, 31 Jul 2025 17:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:vaelsys:vaelsys:4.1.0:::::::*

Tue, 29 Jul 2025 08:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vaelsys Vaelsys vaelsys
Vendors & Products		Vaelsys Vaelsys vaelsys

Mon, 28 Jul 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 28 Jul 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Vaelsys vgrid_server.php execute_DataObjectProc os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/waiwai24/0101/blob/main/CVEs/Vaelsys/Remote_Code_Execution_in_Vaelsys_V4_Platform.md https://vuldb.com/?ctiid.317847 https://vuldb.com/?id.317847 https://vuldb.com/?submit.616920
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Vaelsys Vaelsys

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-07-28T05:32:04.923Z

Updated: 2026-04-15T07:08:25.330Z

Reserved: 2025-07-26T16:14:16.170Z

Link: CVE-2025-8259

Vulnrichment

Updated: 2025-07-28T15:58:53.568Z

NVD

Status : Modified

Published: 2025-07-28T06:15:23.837

Modified: 2026-04-15T08:16:15.760

Link: CVE-2025-8259

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object