cvelistv5 - CVE-2025-13087

CVE-2025-13087 (GCVE-0-2025-13087)

Vulnerability from cvelistv5 – Published: 2025-11-20 21:32 – Updated: 2025-11-21 16:01

Summary

A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.

Severity ?

7.5 (High)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

6.2 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://www.opto22.com/support/resources-tools/kn…
	https://github.com/cisagov/CSAF/blob/develop/csaf…

Impacted products

Vendor

Product

Version

Opto22

GRV-EPIC-PR1

Affected: 0 , < 4.0.3 (custom)

Opto22	GRV-EPIC-PR2	Affected: 0 , < 4.0.3 (custom)
Opto22	groov RIO GRV-R7-MM1001-10	Affected: 0 , < 4.0.3 (custom)
Opto22	groov RIO GRV-R7-MM2001-10	Affected: 0 , < 4.0.3 (custom)
Opto22	groov RIO GRV-R7-I1VAPM-3	Affected: 0 , < 4.0.3 (custom)

Credits

Nik Tsytsarkin of Meta reported this vulnerability to CISA. Ismail Aydemir of Meta reported this vulnerability to CISA. Ryan Hall of Meta reported this vulnerability to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13087",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T16:01:30.468009Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-21T16:01:40.324Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "GRV-EPIC-PR1",
          "vendor": "Opto22",
          "versions": [
            {
              "lessThan": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "GRV-EPIC-PR2",
          "vendor": "Opto22",
          "versions": [
            {
              "lessThan": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "groov RIO GRV-R7-MM1001-10",
          "vendor": "Opto22",
          "versions": [
            {
              "lessThan": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "groov RIO GRV-R7-MM2001-10",
          "vendor": "Opto22",
          "versions": [
            {
              "lessThan": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "groov RIO GRV-R7-I1VAPM-3",
          "vendor": "Opto22",
          "versions": [
            {
              "lessThan": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nik Tsytsarkin of Meta reported this vulnerability to CISA."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ismail Aydemir of Meta reported this vulnerability to CISA."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ryan Hall of Meta reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2025-11-20T20:35:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.\u003c/span\u003e"
            }
          ],
          "value": "A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T21:32:37.510Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03"
        },
        {
          "url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91326"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22 \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.opto22.com/support/resources-tools/knowledgebase/kb91326\"\u003ehere\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Opto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22  here https://www.opto22.com/support/resources-tools/knowledgebase/kb91326 ."
        }
      ],
      "source": {
        "advisory": "ICSA-25-324-03",
        "discovery": "EXTERNAL"
      },
      "title": "Command Injection in Opto22 Groov REST API",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-13087",
    "datePublished": "2025-11-20T21:32:37.510Z",
    "dateReserved": "2025-11-12T19:41:06.455Z",
    "dateUpdated": "2025-11-21T16:01:40.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-13087\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-11-20T22:15:54.310\",\"lastModified\":\"2025-11-21T15:13:13.800\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.7,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.opto22.com/support/resources-tools/knowledgebase/kb91326\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13087\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-21T16:01:30.468009Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-21T16:01:36.546Z\"}}], \"cna\": {\"title\": \"Command Injection in Opto22 Groov REST API\", \"source\": {\"advisory\": \"ICSA-25-324-03\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nik Tsytsarkin of Meta reported this vulnerability to CISA.\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ismail Aydemir of Meta reported this vulnerability to CISA.\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ryan Hall of Meta reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Opto22\", \"product\": \"GRV-EPIC-PR1\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Opto22\", \"product\": \"GRV-EPIC-PR2\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Opto22\", \"product\": \"groov RIO GRV-R7-MM1001-10\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Opto22\", \"product\": \"groov RIO GRV-R7-MM2001-10\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Opto22\", \"product\": \"groov RIO GRV-R7-I1VAPM-3\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.0.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Opto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22  here https://www.opto22.com/support/resources-tools/knowledgebase/kb91326 .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eOpto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22 \u003c/span\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.opto22.com/support/resources-tools/knowledgebase/kb91326\\\"\u003ehere\u003c/a\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e.\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-11-20T20:35:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03\"}, {\"url\": \"https://www.opto22.com/support/resources-tools/knowledgebase/kb91326\"}, {\"url\": \"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-11-20T21:32:37.510Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-13087\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-21T16:01:40.324Z\", \"dateReserved\": \"2025-11-12T19:41:06.455Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-11-20T21:32:37.510Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-13087

Vulnerability from fkie_nvd - Published: 2025-11-20 22:15 - Updated: 2025-11-21 15:13

Severity ?

6.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Summary

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json
	ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03
	ics-cert@hq.dhs.gov	https://www.opto22.com/support/resources-tools/knowledgebase/kb91326

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root."
    }
  ],
  "id": "CVE-2025-13087",
  "lastModified": "2025-11-21T15:13:13.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.5,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-20T22:15:54.310",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91326"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    }
  ]
}

ICSA-25-324-03

Vulnerability from csaf_cisa - Published: 2025-11-20 06:00 - Updated: 2025-11-20 06:00

Summary

Opto 22 GRV-EPIC and groov RIO

Notes

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Risk evaluation

Successful exploitation of this vulnerability could result in the execution of arbitrary shell commands with root privileges.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Nik Tsytsarkin",
          "Ismail Aydemir",
          "Ryan Hall"
        ],
        "organization": "Meta",
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
        "title": "Legal Notice and Terms of Use"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could result in the execution of arbitrary shell commands with root privileges.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-25-324-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-324-03.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-25-324-03 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks"
      }
    ],
    "title": "Opto 22 GRV-EPIC and groov RIO",
    "tracking": {
      "current_release_date": "2025-11-20T06:00:00.000000Z",
      "generator": {
        "date": "2025-11-20T17:39:11.131863Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-25-324-03",
      "initial_release_date": "2025-11-20T06:00:00.000000Z",
      "revision_history": [
        {
          "date": "2025-11-20T06:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.3",
                "product": {
                  "name": "Opto 22 GRV-EPIC-PR1 Firmware: \u003c4.0.3",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "GRV-EPIC-PR1 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.3",
                "product": {
                  "name": "Opto 22 GRV-EPIC-PR2 Firmware: \u003c4.0.3",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "GRV-EPIC-PR2 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.3",
                "product": {
                  "name": "Opto 22 groov RIO GRV-R7-MM1001-10 Firmware: \u003c4.0.3",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "groov RIO GRV-R7-MM1001-10 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.3",
                "product": {
                  "name": "Opto 22 groov RIO GRV-R7-MM2001-10 Firmware: \u003c4.0.3",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "groov RIO GRV-R7-MM2001-10 Firmware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.0.3",
                "product": {
                  "name": "Opto 22 groov RIO GRV-R7-I1VAPM-3 Firmware: \u003c4.0.3",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "groov RIO GRV-R7-I1VAPM-3 Firmware"
          }
        ],
        "category": "vendor",
        "name": "Opto 22"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13087",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13087"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Opto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22 here.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ],
          "url": "https://www.opto22.com/support/resources-tools/knowledgebase/kb91326"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-13087 (GCVE-0-2025-13087)

FKIE_CVE-2025-13087

ICSA-25-324-03

Tags

Sightings

Nomenclature