Impact
OS command injection has been discovered in the environment and tunnel configuration functions of Bondix Server versions up to 1.25.7.5 on Linux. An attacker who is authenticated and authorized to write configuration files can insert crafted configuration entries that are passed directly to server-side scripts, allowing the execution of arbitrary operating-system commands. This flaw is classified as CWE-78 and, based on the description, it is inferred that the attacker can compromise confidentiality, integrity, and availability of the host.
Affected Systems
Affected systems are SIMA GmbH Bondix Server on Linux, specifically all releases through and including 1.25.7.5. Versions after 1.25.7.5 are not listed as affected by the current advisory. Administrators should verify the exact build and version running on their infrastructure to determine if the system requires updating.
Risk and Exploitability
The CVSS base score of 8.6 indicates a high severity level and a high impact of a successful compromise. The EPSS score of 1% suggests that while the vulnerability is relatively uncommon, it still poses a measurable threat. Because the flaw requires authentication and write access to configuration files, the attack vector is likely internal or limited to systems where management interfaces are exposed. The vulnerability is not included in the CISA KEV catalog, but its impact warrants prompt remediation.
OpenCVE Enrichment