Vulnerabilites related to Nimesa - Nimesa Backup and Recovery
jvndb-2025-000047
Vulnerability from jvndb
Published
2025-07-07 15:26
Modified
2025-07-07 15:26
Severity ?
Summary
Multiple vulnerabilities in Nimesa Backup and Recovery
Details
Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below.<ul><li>OS command injection (CWE-78) - CVE-2025-48501</li><li>Server-side request forgery (CWE-918) - CVE-2025-53473</li></ul>
Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000047.html",
"dc:date": "2025-07-07T15:26+09:00",
"dcterms:issued": "2025-07-07T15:26+09:00",
"dcterms:modified": "2025-07-07T15:26+09:00",
"description": "Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eOS command injection (CWE-78) - CVE-2025-48501\u003c/li\u003e\u003cli\u003eServer-side request forgery (CWE-918) - CVE-2025-53473\u003c/li\u003e\u003c/ul\u003e\r\nKentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000047.html",
"sec:cpe": {
"#text": "cpe:/a:misc:nimesa_nimesa_backup_and_recovery",
"@product": "Nimesa Backup and Recovery",
"@vendor": "Nimesa",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000047",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN88251376/index.html",
"@id": "JVN#88251376",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48501",
"@id": "CVE-2025-48501",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-53473",
"@id": "CVE-2025-53473",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in Nimesa Backup and Recovery"
}
CVE-2025-48501 (GCVE-0-2025-48501)
Vulnerability from cvelistv5
Published
2025-07-07 04:51
Modified
2025-07-07 17:51
Severity ?
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Summary
An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Nimesa | Nimesa Backup and Recovery |
Version: v2.3 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T17:50:54.621360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:51:06.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nimesa Backup and Recovery",
"vendor": "Nimesa",
"versions": [
{
"status": "affected",
"version": "v2.3"
}
]
},
{
"product": "Nimesa Backup and Recovery",
"vendor": "Nimesa",
"versions": [
{
"status": "affected",
"version": "v2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T04:51:39.574Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://aws.amazon.com/marketplace/seller-profile?id=08fb48d1-5d60-4feb-93c6-c0c219278a2c"
},
{
"url": "https://jvn.jp/en/jp/JVN88251376/"
}
],
"tags": [
"unsupported-when-assigned"
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-48501",
"datePublished": "2025-07-07T04:51:39.574Z",
"dateReserved": "2025-07-02T08:23:23.992Z",
"dateUpdated": "2025-07-07T17:51:06.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53473 (GCVE-0-2025-53473)
Vulnerability from cvelistv5
Published
2025-07-07 04:52
Modified
2025-07-07 17:15
Severity ?
7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-side request forgery (SSRF)
Summary
Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Nimesa | Nimesa Backup and Recovery |
Version: prior to v3.0.2025062305 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T17:14:38.882743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:15:06.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nimesa Backup and Recovery",
"vendor": "Nimesa",
"versions": [
{
"status": "affected",
"version": "prior to v3.0.2025062305"
}
]
},
{
"product": "Nimesa Backup and Recovery",
"vendor": "Nimesa",
"versions": [
{
"status": "affected",
"version": "v2.3"
}
]
},
{
"product": "Nimesa Backup and Recovery",
"vendor": "Nimesa",
"versions": [
{
"status": "affected",
"version": "v2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-side request forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T04:52:00.334Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://aws.amazon.com/marketplace/seller-profile?id=08fb48d1-5d60-4feb-93c6-c0c219278a2c"
},
{
"url": "https://jvn.jp/en/jp/JVN88251376/"
}
],
"tags": [
"unsupported-when-assigned"
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-53473",
"datePublished": "2025-07-07T04:52:00.334Z",
"dateReserved": "2025-07-02T08:23:23.156Z",
"dateUpdated": "2025-07-07T17:15:06.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}