CVE-2025-58059 is a critical OS command injection vulnerability affecting the valtimo-backend-libraries component of the Valtimo platform, a business process automation solution. The vulnerability exists in versions prior to 12.16.0.RELEASE and between 13.0.0.RELEASE and before 13.1.2.RELEASE. It allows an authenticated user with administrative privileges who can create, modify, and execute process definitions to execute arbitrary OS commands on the host running the application. This is possible due to improper neutralization of special elements in OS commands (CWE-78), enabling injection attacks. Exploitation requires the attacker to be logged in as an admin and have knowledge of scripting via the Camunda/Operator engine used by Valtimo. Successful exploitation can lead to full compromise of the host environment, including unauthorized access to sensitive data such as application properties, Spring beans (application context), and database connection pools. The vulnerability also impacts confidentiality, integrity, and availability of the system. The vendor has patched this issue in versions 12.16.0 and 13.1.2. As a temporary mitigation, disabling scripting via ProcessEngineConfiguration is possible but may cause unexpected side effects. The CVSS v3.1 base score is 9.1, reflecting critical severity with network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change. No known exploits have been reported in the wild yet.

For European organizations using the Valtimo platform, especially those relying on the vulnerable versions of valtimo-backend-libraries, this vulnerability poses a severe risk. Exploitation could lead to unauthorized execution of arbitrary commands on critical business process automation servers, potentially exposing sensitive business data, intellectual property, and customer information. The integrity and availability of automated workflows could be compromised, disrupting business operations. Given that the attacker must have admin credentials, insider threats or compromised admin accounts are primary risk vectors. Organizations in regulated sectors such as finance, healthcare, and government could face compliance violations and reputational damage if sensitive data is leaked or systems are disrupted. The ability to extract environment details and database credentials could facilitate further lateral movement and persistence within the network. The criticality of this vulnerability necessitates urgent patching to prevent potential exploitation and operational impact.

1. Immediate upgrade to Valtimo platform versions 12.16.0 or 13.1.2 or later, where the vulnerability is patched. 2. Restrict admin role assignments strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce risk of credential compromise. 3. Audit and monitor process definitions for unauthorized or suspicious scripting activities, especially those leveraging the Camunda/Operator engine. 4. If upgrading is not immediately feasible, consider disabling scripting via the ProcessEngineConfiguration, but thoroughly test this change in a staging environment to identify and mitigate any side effects on business processes. 5. Implement network segmentation and host-based intrusion detection to detect anomalous command executions on Valtimo hosts. 6. Regularly review logs and alerts for signs of OS command injection attempts or unusual administrative actions. 7. Educate administrators on the risks of this vulnerability and best practices for secure process definition management.