CVE-2025-10767 is a security vulnerability identified in CosmodiumCS OnlyRAT versions up to 3.2, specifically affecting the Configuration File Handler component within the main.py file. The vulnerability arises from improper handling of the argument configuration["PASSWORD"] in the functions connect, remote_upload, and remote_download. This improper handling allows an attacker with local access to perform OS command injection, potentially executing arbitrary system commands under the privileges of the OnlyRAT process. The attack vector requires local access and is considered highly complex and difficult to exploit, with no user interaction needed but requiring low privileges (local privileges). The vulnerability has a CVSS 4.0 base score of 2, indicating low severity, primarily due to the high attack complexity and limited scope of impact. The vendor was notified early but did not respond or provide a patch, and while the exploit code is publicly available, there are no known exploits in the wild at this time. The vulnerability impacts confidentiality, integrity, and availability at a low level due to the limited scope and difficulty of exploitation. The lack of authentication requirement for the vulnerable function is mitigated by the need for local access and high attack complexity.

For European organizations using CosmodiumCS OnlyRAT versions 3.0 through 3.2, this vulnerability could allow a local attacker to execute arbitrary OS commands, potentially leading to unauthorized access or manipulation of system resources. Although the exploit complexity is high and requires local access, insider threats or attackers who have already gained limited access could leverage this vulnerability to escalate privileges or disrupt operations. The impact on confidentiality, integrity, and availability is limited but non-negligible, especially in environments where OnlyRAT is used for critical remote administration or monitoring tasks. Given the vendor's lack of response and absence of patches, organizations face prolonged exposure. European organizations with strict regulatory requirements for data protection and system integrity may find this vulnerability a compliance risk if exploited. However, the low CVSS score and lack of known active exploitation reduce the immediate risk level.

1. Restrict local access to systems running CosmodiumCS OnlyRAT to trusted personnel only, employing strict access controls and monitoring. 2. Employ host-based intrusion detection systems (HIDS) to detect unusual command execution patterns that may indicate exploitation attempts. 3. Use application whitelisting to prevent unauthorized execution of commands or scripts spawned by OnlyRAT processes. 4. Consider isolating or sandboxing OnlyRAT instances to limit the impact of potential command injection. 5. Regularly audit and monitor logs for suspicious activity related to OnlyRAT's configuration handling functions. 6. Since no official patch is available, evaluate the possibility of applying custom input validation or sanitization on the configuration["PASSWORD"] argument if source code access is possible. 7. Maintain up-to-date backups and incident response plans to quickly recover from any compromise. 8. Engage with CosmodiumCS or community forums for any unofficial patches or mitigations until an official fix is released.