Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) — Vulnerability Class 1185

1185 vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)). AI Chinese analysis included.

CWE-77 represents a critical input validation weakness where software constructs commands using untrusted data without properly sanitizing special characters. Attackers typically exploit this by injecting malicious payloads, such as semicolons or pipe operators, into user-supplied fields to alter the intended command structure. This allows them to execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or denial of service. To prevent such vulnerabilities, developers must strictly validate and sanitize all external inputs, ensuring that only expected data formats are processed. Utilizing parameterized APIs or safe command execution libraries instead of direct string concatenation significantly reduces risk. Additionally, implementing the principle of least privilege for application processes limits the potential impact of successful injection attempts, thereby enhancing overall system security against command injection attacks.

MITRE CWE Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they w…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
ImplementationIf possible, ensure that all external commands called from the program are statically created.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
OperationRun time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
System ConfigurationAssign permissions that prevent the user from accessing/opening privileged files.
Examples (2)
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the …
prompt = "Explain the difference between {} and {}".format(arg1, arg2) result = invokeChatbot(prompt) resultHTML = encodeForHTML(result) print resultHTML
Bad · Python
Explain the difference between CWE-77 and CWE-78
Informative
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2025-15133 ZSPACE Z4Pro+ HTTP POST Request close zfilev2_api_CloseSafe command injection — Z4Pro+ 6.3 Medium2025-12-28
CVE-2025-15132 ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection — Z4Pro+ 6.3 Medium2025-12-28
CVE-2025-15131 ZSPACE Z4Pro+ HTTP POST Request status zfilev2_api_SafeStatus command injection — Z4Pro+ 6.3 Medium2025-12-28
CVE-2025-15081 JD Cloud BE6500 jdcapi sub_4780 command injection — Cloud BE6500 6.3 Medium2025-12-25
CVE-2025-15048 Tenda WH450 HTTP Request CheckTools command injection — WH450 7.3 High2025-12-23
CVE-2025-14884 D-Link DIR-605 Firmware Update Service command injection — DIR-605 7.2 High2025-12-18
CVE-2025-68433 Zed IDE MCP Context Server Configuration Arbitrary Code Execution — zed 7.8 High2025-12-17
CVE-2025-68432 Zed IDE LSP Binary Configuration Arbitrary Code Execution — zed 7.8 High2025-12-17
CVE-2025-14707 Shiguangwu sgwbox N3 DOCKER Feature http_eshell_server command injection — sgwbox N3 9.8 Critical2025-12-15
CVE-2025-14706 Shiguangwu sgwbox N3 NETREBOOT http_eshell_server command injection — sgwbox N3 9.8 Critical2025-12-15
CVE-2025-14705 Shiguangwu sgwbox N3 SHARESERVER Feature command injection — sgwbox N3 9.8 Critical2025-12-15
CVE-2025-14659 D-Link DIR-860LB1/DIR-868LB1 DHCP command injection — DIR-860LB1 8.8 High2025-12-14
CVE-2025-14648 DedeBIZ catalog_add.php command injection — DedeBIZ 4.7 Medium2025-12-14
CVE-2025-67728 Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE) — fireshare 9.8 Critical2025-12-12
CVE-2025-67508 gardenctl is vulnerable to Command Injection when used with non‑POSIX shells — gardenctl-v2 6.0AIMediumAI2025-12-12
CVE-2025-14485 EFM ipTIME A3004T Administrator Password timepro.cgi show_debug_screen command injection — ipTIME A3004T 5.0 Medium2025-12-11
CVE-2025-67511 Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool — cai 9.7 Critical2025-12-10
CVE-2025-54100 PowerShell Remote Code Execution Vulnerability — Windows 10 Version 1607 7.8 High2025-12-09
CVE-2025-64671 GitHub Copilot for Jetbrains Remote Code Execution Vulnerability — GitHub Copilot Plugin for JetBrains IDEs 8.4 High2025-12-09
CVE-2025-40937 Siemens SIMATIC CN 4100 命令注入漏洞 — SIMATIC CN 4100 8.3 High2025-12-09
CVE-2024-56837 Siemens RUGGEDCOM ROX II 命令注入漏洞 — RUGGEDCOM ROX MX5000 7.2 High2025-12-09
CVE-2024-56836 Siemens RUGGEDCOM ROX II 命令注入漏洞 — RUGGEDCOM ROX MX5000 7.5 High2025-12-09
CVE-2025-14276 Ilevia EVE X1 Server leaf_search.php command injection — EVE X1 Server 5.6 Medium2025-12-08
CVE-2025-14225 D-Link DCS-930L alphapd setSystemAdmin command injection — DCS-930L 6.3 Medium2025-12-08
CVE-2025-14208 D-Link DIR-823X set_wan_settings sub_415028 command injection — DIR-823X 6.3 Medium2025-12-08
CVE-2025-14188 UGREEN DH2100+ nas_svr create handler_file_backup_create command injection — DH2100+ 7.2 High2025-12-07
CVE-2025-14184 SGAI Space1 NAS N1211DS gsaiagent JSONAPI NGNIX_UPLOAD command injection — Space1 NAS N1211DS 6.3 Medium2025-12-07
CVE-2025-14108 ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection — Q2C NAS 8.8 High2025-12-05
CVE-2025-14107 ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection — Q2C NAS 8.8 High2025-12-05
CVE-2025-14106 ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection — Q2C NAS 8.8 High2025-12-05

Vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) represent 1185 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.