CVE-2025-43920

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://code.launchpad.net/~mailman-coders/mailman/2.1	Product
https://github.com/0NYX-MY7H/CVE-2025-43920	Exploit Third Party Advisory
https://github.com/cpanel/mailman2-python3
https://www.openwall.com/lists/oss-security/2025/04/21/6

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-20 01:15

Updated : 2025-04-28 14:15

NVD link : CVE-2025-43920

Mitre link : CVE-2025-43920

CVE.ORG link : CVE-2025-43920

JSON object : View

Products Affected

gnu

mailman

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-43920", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2025-04-20T01:15:45.867", "references": [{"url": "https://code.launchpad.net/~mailman-coders/mailman/2.1", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/0NYX-MY7H/CVE-2025-43920", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/cpanel/mailman2-python3", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2025/04/21/6", "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used."}, {"lang": "es", "value": "GNU Mailman 2.1.39, incluido en cPanel (y WHM), permite a atacantes no autenticados ejecutar comandos arbitrarios del sistema operativo a trav\u00e9s de metacaracteres de shell en la l\u00ednea de asunto de un correo electr\u00f3nico."}], "lastModified": "2025-04-28T14:15:22.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C274293D-B8B6-47B3-B072-F85D71618337", "versionEndIncluding": "2.1.39", "versionStartIncluding": "2.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}