CVE-2025-46735 is a command injection vulnerability identified in the Terraform WinDNS Provider (nrkno terraform-provider-windns) versions up to 1.0.4. This provider facilitates management of Windows DNS server resources via Terraform automation. The vulnerability arises from improper sanitization of input variables in the 'windns_record' resource, which leads to the injection of malicious commands into the underlying PowerShell command prompt. Specifically, the provider fails to neutralize special characters or command elements in user-supplied inputs, allowing an authenticated user to execute arbitrary commands on the host system with the privileges of the Terraform process. The vulnerability is classified under CWE-77, indicating improper neutralization of special elements used in a command (command injection). The issue was addressed in version 1.0.5 of the provider, which includes input sanitization fixes to prevent command injection. The CVSS v4.0 score is 1.1 (low severity), reflecting that exploitation requires local authentication with high privileges, user interaction, and affects only a limited scope without impacting confidentiality, integrity, or availability significantly. No known exploits are currently reported in the wild. This vulnerability is primarily a risk in environments where Terraform is used to manage Windows DNS infrastructure and where the vulnerable provider version is deployed. Attackers with authenticated access to Terraform configurations could leverage this flaw to execute arbitrary PowerShell commands, potentially leading to unauthorized system modifications or lateral movement within the network.

For European organizations, the impact of this vulnerability depends on their adoption of Terraform for Windows DNS management and the use of the vulnerable terraform-provider-windns versions. Organizations using Terraform automation to manage Windows DNS servers could face risks of command injection attacks if they run versions prior to 1.0.5. Successful exploitation could allow attackers with legitimate Terraform access to execute arbitrary commands on DNS servers, potentially disrupting DNS services or enabling further compromise of internal networks. However, the requirement for authenticated access with high privileges and user interaction limits the risk to insiders or attackers who have already breached initial defenses. The low CVSS score suggests limited direct impact on confidentiality or availability, but the ability to execute arbitrary commands could be leveraged for persistence or privilege escalation. European enterprises with critical DNS infrastructure managed via Terraform, especially in sectors like finance, telecommunications, and government, could be targeted for such attacks. The vulnerability also poses a supply chain risk if Terraform configurations are shared or reused without proper version control. Overall, while the direct impact is low, the potential for misuse in complex attack chains warrants attention in European IT environments relying on this provider.

1. Immediate upgrade to terraform-provider-windns version 1.0.5 or later to ensure the input sanitization fix is applied. 2. Restrict Terraform access strictly to trusted administrators and enforce the principle of least privilege to minimize the risk of authenticated misuse. 3. Implement rigorous input validation and sanitization in Terraform configurations, avoiding user-supplied inputs that could contain special characters or command elements. 4. Monitor Terraform execution logs and PowerShell command histories on Windows DNS servers for anomalous or unexpected commands indicative of exploitation attempts. 5. Use network segmentation to isolate DNS management infrastructure from general user networks, reducing the attack surface. 6. Employ multi-factor authentication (MFA) for Terraform management interfaces to reduce the risk of credential compromise. 7. Regularly audit Terraform provider versions and configurations as part of vulnerability management and patching cycles. 8. Consider implementing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions on DNS servers to detect and block suspicious command executions. These steps go beyond generic advice by focusing on Terraform-specific controls, access restrictions, and monitoring tailored to the nature of this vulnerability.