CVE-2025-8752 is a command injection vulnerability identified in the wangzhixuan spring-shiro-training project, specifically affecting the /role/add endpoint. This vulnerability allows an unauthenticated remote attacker to execute arbitrary system commands on the affected server by manipulating input parameters sent to this endpoint. The vulnerability exists in an unknown portion of the codebase up to commit 94812c1fd8f7fe796c931f4984ff1aa0671ab562. The product uses continuous delivery with rolling releases, which complicates precise version tracking and patch availability. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) shows that the attack can be performed remotely without authentication or user interaction, with low attack complexity. The vulnerability impacts confidentiality, integrity, and availability to a limited extent. Although public exploit code has been disclosed, there are no confirmed reports of active exploitation in the wild. The vulnerability is critical in nature due to the potential for command injection, but the CVSS score reflects some mitigating factors such as limited scope and impact. The lack of patch links or fixed versions indicates that remediation may not yet be available or publicly disclosed. Organizations using this training or related spring-shiro components should consider this a serious risk, especially in environments where the /role/add endpoint is exposed to untrusted networks.

For European organizations, this vulnerability poses a significant risk if the affected spring-shiro-training component is used in production or development environments, particularly those exposing the /role/add endpoint to external or semi-trusted networks. Successful exploitation could allow attackers to execute arbitrary commands, potentially leading to data breaches, unauthorized privilege escalation, service disruption, or lateral movement within networks. Confidentiality could be compromised by unauthorized data access, integrity by malicious command execution altering system state or data, and availability by causing denial-of-service conditions. The medium CVSS score suggests some limitations in impact or exploitability, but the lack of authentication and user interaction requirements increases risk. European organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often rely on Java-based web applications and frameworks like Spring and Shiro, could be particularly vulnerable if this component is integrated without proper controls. The public disclosure of exploit details increases the urgency for mitigation to prevent opportunistic attacks.

1. Immediate code review and audit of the /role/add endpoint to identify and sanitize all inputs that could lead to command injection. 2. Implement strict input validation and output encoding to prevent injection of shell commands or system calls. 3. Apply the principle of least privilege to the application runtime environment, ensuring that even if command injection occurs, the attacker’s capabilities are limited. 4. Monitor network traffic and application logs for unusual activity or command execution attempts targeting the /role/add endpoint. 5. If possible, isolate or restrict access to the vulnerable endpoint to trusted internal networks only until a patch or update is available. 6. Engage with the vendor or open-source maintainers to obtain or contribute to a patch addressing this vulnerability. 7. Employ Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns targeting this endpoint. 8. Conduct penetration testing and vulnerability scanning focused on injection flaws in the affected application components. 9. Educate developers and DevOps teams about secure coding practices related to command injection and input handling in Java and Spring-based applications. 10. Maintain an incident response plan to quickly contain and remediate any exploitation attempts.