CVE-2025-27027 (GCVE-0-2025-27027)
Vulnerability from cvelistv5
Published
2025-07-09 08:31
Modified
2025-07-09 13:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Summary
A user with vpuser credentials that opens an SSH connection to the device, gets a restricted shell rbash that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash restrictions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Radiflow | iSAP Smart Collector |
Version: 1.20 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T13:32:44.624049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T13:34:00.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "iSAP Smart Collector",
"vendor": "Radiflow",
"versions": [
{
"lessThan": "3.02-1",
"status": "affected",
"version": "1.20",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA user with \u003c/span\u003e\u003ci\u003evpuser\u003c/i\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;credentials that opens an SSH connection to the device, gets a restricted shell \u003c/span\u003e\u003ci\u003erbash\u003c/i\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the \u003c/span\u003e\u003ci\u003erbash\u003c/i\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;restrictions.\u003c/span\u003e\n\n\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "A user with vpuser\u00a0credentials that opens an SSH connection to the device, gets a restricted shell rbash\u00a0that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash\u00a0restrictions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T09:45:23.169Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27027"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Restricted shell evasion in Radiflow iSAP Smart Collector",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2025-27027",
"datePublished": "2025-07-09T08:31:29.320Z",
"dateReserved": "2025-02-18T06:59:55.889Z",
"dateUpdated": "2025-07-09T13:34:00.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27027\",\"sourceIdentifier\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"published\":\"2025-07-09T09:15:26.720\",\"lastModified\":\"2025-07-10T13:17:30.017\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A user with vpuser\u00a0credentials that opens an SSH connection to the device, gets a restricted shell rbash\u00a0that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash\u00a0restrictions.\"},{\"lang\":\"es\",\"value\":\"Un usuario con credenciales de usuario virtual que abre una conexi\u00f3n SSH al dispositivo obtiene un shell rbash restringido que solo permite una peque\u00f1a lista de comandos permitidos. Esta vulnerabilidad permite al usuario obtener un shell Linux completo, eludiendo las restricciones de rbash.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":4.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-653\"}]}],\"references\":[{\"url\":\"https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27027\",\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27027\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-09T13:32:44.624049Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-09T13:32:58.912Z\"}}], \"cna\": {\"title\": \"Restricted shell evasion in Radiflow iSAP Smart Collector\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Radiflow\", \"product\": \"iSAP Smart Collector\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.20\", \"lessThan\": \"3.02-1\", \"versionType\": \"semver\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27027\", \"tags\": [\"government-resource\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A user with vpuser\\u00a0credentials that opens an SSH connection to the device, gets a restricted shell rbash\\u00a0that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash\\u00a0restrictions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA user with \u003c/span\u003e\u003ci\u003evpuser\u003c/i\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;credentials that opens an SSH connection to the device, gets a restricted shell \u003c/span\u003e\u003ci\u003erbash\u003c/i\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the \u003c/span\u003e\u003ci\u003erbash\u003c/i\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;restrictions.\u003c/span\u003e\\n\\n\u003cbr\u003e\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-653\", \"description\": \"CWE-653 Improper Isolation or Compartmentalization\"}]}], \"providerMetadata\": {\"orgId\": \"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\", \"shortName\": \"ENISA\", \"dateUpdated\": \"2025-07-09T09:45:23.169Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27027\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-09T13:34:00.352Z\", \"dateReserved\": \"2025-02-18T06:59:55.889Z\", \"assignerOrgId\": \"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\", \"datePublished\": \"2025-07-09T08:31:29.320Z\", \"assignerShortName\": \"ENISA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…