CVE-2025-10767 is a vulnerability identified in CosmodiumCS OnlyRAT versions up to 3.2, specifically affecting the Configuration File Handler component within the main.py file. The vulnerability arises from improper handling of the argument configuration["PASSWORD"] in the functions connect, remote_upload, and remote_download. This improper handling allows an attacker with local access to perform OS command injection, enabling execution of arbitrary operating system commands. The attack vector requires local access and elevated privileges (PR:L), making exploitation complex and difficult. The vulnerability does not require user interaction and has a low impact on confidentiality, integrity, and availability, as reflected in its CVSS 4.0 score of 2. The vendor was notified early but did not respond, and no patches have been published yet. The exploit code is publicly available, increasing the risk of potential exploitation despite the difficulty. The vulnerability's complexity and requirement for local access limit its widespread exploitation, but it remains a concern for environments where OnlyRAT is deployed and local access can be obtained by an attacker.

For European organizations using CosmodiumCS OnlyRAT versions 3.0 to 3.2, this vulnerability poses a limited but tangible risk. Since exploitation requires local access and elevated privileges, the threat is primarily to internal security, such as from malicious insiders or attackers who have already compromised a system to some extent. Successful exploitation could allow attackers to execute arbitrary OS commands, potentially leading to privilege escalation, data manipulation, or disruption of services. However, the low CVSS score and high complexity reduce the likelihood of widespread impact. Organizations relying on OnlyRAT for remote administration or RAT functionalities should be cautious, as attackers could leverage this vulnerability to deepen their foothold. The lack of vendor response and absence of patches necessitate proactive mitigation. In regulated European environments with strict data protection laws (e.g., GDPR), even limited breaches could have compliance implications if sensitive data or system integrity is compromised.

Given the absence of official patches, European organizations should implement strict access controls to limit local access to systems running OnlyRAT. This includes enforcing the principle of least privilege, ensuring that only trusted administrators have local access. Monitoring and logging of local activities related to OnlyRAT processes should be enhanced to detect suspicious command executions. Network segmentation can reduce the risk of lateral movement if an attacker gains local access. Additionally, organizations should consider disabling or restricting the use of the vulnerable functions (connect, remote_upload, remote_download) if feasible. Employing application whitelisting and endpoint detection and response (EDR) solutions can help identify and block exploitation attempts. Finally, organizations should maintain up-to-date inventories of OnlyRAT deployments and plan for migration to patched or alternative solutions once available.