Full Report
Command Injection vulnerability (CVE-2025-6225) has been found in Kieback&Peter Neutrino-GLT software.
Analysis Summary
# Vulnerability: Command Injection in Kieback&Peter Neutrino-GLT Web Component
## CVE Details
- CVE ID: CVE-2025-6225
- CVSS Score: *Not explicitly stated, but implied critical due to Command Injection*
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Kieback&Peter Neutrino-GLT (specifically the "SM70 PHWEB" web component)
- Versions: All versions before 9.40.02
- Configurations: Applicable to the web component used for building management.
## Vulnerability Description
The vulnerability exists within the web component "SM70 PHWEB" of the Kieback&Peter Neutrino-GLT product. It is susceptible to OS command injection via the login form. Successful exploitation allows an attacker to inject and execute arbitrary system commands with low system privileges.
## Exploitation
- Status: *Information not available (assumed not exploited in the wild unless specified)*
- Complexity: *Not explicitly stated, implied low due to input validation failure in a common interface (login)*
- Attack Vector: Likely Network (via the web interface)
## Impact
- Confidentiality: Potential impact (execution of commands could lead to information disclosure)
- Integrity: Potential impact (execution of commands could lead to system modification)
- Availability: Potential impact (execution of commands could lead to service disruption)
## Remediation
### Patches
- Patch Version: 9.40.02
### Workarounds
- No specific workarounds were detailed in the provided source material. Segmentation or restriction of access to the SM70 PHWEB component may serve as a temporary measure.
## Detection
- Detection methods for OS Command Injection generally involve monitoring for unusual command execution attempts or atypical process behavior initiated by the web service user account.
## References
- Vendor Advisory: (None explicitly provided in this summary)
- Relevant links:
- CERT Polska report source: hXXps://cert.pl/en/posts/2026/01/vulnerability-in-kiebackpeter-neutrino-glt-software/
- CVE Record: hXXps://www.cve.org/CVERecord?id=CVE-2025-6225