CVE-2025-6512 is a critical code injection vulnerability (CWE-94) affecting Bizerba SE & Co. KG's BRAIN2 product. The vulnerability arises from improper control over the generation of code within the application. Specifically, a non-administrative user on a client machine can embed a malicious script into a report. When this report is later executed on the BRAIN2 server, it runs with administrator privileges, effectively allowing privilege escalation and remote code execution. The vulnerability has a CVSS v3.1 base score of 10.0, indicating maximum severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact on confidentiality, integrity, and availability is all rated high (C:H/I:H/A:H), meaning an attacker can fully compromise the server, access sensitive data, alter or delete information, and disrupt services. The affected version is listed as 0.0, which likely indicates an initial or early release version of BRAIN2. No patches or known exploits in the wild are currently reported. The vulnerability is particularly dangerous because it allows an attacker to bypass user privilege restrictions by embedding malicious code in reports, which are trusted and executed with elevated rights on the server side. This flaw could be exploited remotely without authentication or user interaction, making it highly exploitable in real-world scenarios.

For European organizations using Bizerba BRAIN2, this vulnerability poses a severe risk. BRAIN2 is used primarily in industrial and retail environments for weighing, labeling, and data management. Successful exploitation could lead to full compromise of the BRAIN2 server, allowing attackers to manipulate critical operational data, disrupt production lines, or tamper with labeling and compliance information. This could result in financial losses, regulatory non-compliance, and damage to brand reputation. Additionally, since the vulnerability allows execution with administrator privileges, attackers could pivot to other internal systems, potentially compromising broader enterprise networks. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Given the critical nature of BRAIN2 in supply chain and manufacturing processes, disruption could have cascading effects on logistics and retail operations across Europe.

1. Immediate isolation of BRAIN2 servers from untrusted networks to reduce exposure until a patch is available. 2. Implement strict network segmentation and firewall rules to limit access to BRAIN2 management interfaces only to trusted administrators and systems. 3. Monitor logs and reports generated by BRAIN2 for unusual or unexpected script content or execution patterns. 4. Employ application-layer intrusion detection systems (IDS) to detect anomalous code injection attempts in report submissions. 5. Enforce strict input validation and sanitization on report generation interfaces, if possible, through custom controls or intermediary validation proxies. 6. Coordinate with Bizerba for timely updates and patches; apply them immediately once released. 7. Conduct security awareness training for users interacting with BRAIN2 to recognize suspicious activities. 8. Consider deploying endpoint detection and response (EDR) solutions on servers hosting BRAIN2 to detect and respond to suspicious code execution. 9. Review and restrict user permissions on client systems to minimize the ability to create or modify reports with embedded scripts. 10. Establish incident response plans specifically addressing potential exploitation of this vulnerability.