CVE-2025-69600
Description
Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier's perspective is that this is caused by Argument Injection in the find command query in rvia 12.6.4392.49. This in an arbitrary code execution flaw caused by an incorrectly constructed find command. The application actively searches for a Java executable by using search criteria that is not properly terminated or sanitized. By constructing a crafted directory path that satisfies the malformed search criteria, an attacker can trick the application into executing arbitrary Java code. This differs from standard PATH manipulation because it stems from the application's internal search logic. Specifically, a local attacker can create a crafted directory structure and path that satisfies an improperly terminated find query used by the application to locate a Java runtime.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Raynet rvia 12.6.4392.49 allows local attackers to execute arbitrary commands via crafted arguments to getconfig, upload, inventory, and oracle options.
Vulnerability
Raynet rvia version 12.6.4392.49 (also affecting RayVentory Scan Engine 12.6 Update 8 and previous versions) contains command injection vulnerabilities in the getconfig, upload, inventory, and oracle options. The application constructs commands unsafely using user-supplied input without proper sanitization. For example, the getconfig option passes the URL argument directly into a shell command, and the oracle option does the same with the -o flag. Additionally, a separate argument injection flaw exists in the find command used to locate a Java runtime; a local attacker can create a crafted directory structure to force execution of arbitrary Java code. The vendor advisory RSEC200966 describes this as argument injection in the find command query [1].
Exploitation
A local attacker must have access to execute the rvia binary. No authentication is required beyond that. By passing a crafted argument such as \;command\; to the getconfig or oracle options, the attacker can inject arbitrary system commands. For the upload option, double quotes must be escaped and a # appended to ignore trailing arguments: \"\;command\;#. The inventory option is also directly vulnerable with the same injection pattern. For the find-based Java search flaw, the attacker creates a malicious directory structure with a name that satisfies the improperly terminated find query, placing a rogue Java executable that rvia will run [1].
Impact
Successful exploitation allows the attacker to execute arbitrary shell commands with the privileges of the rvia process (typically root or a dedicated service user). This can lead to full system compromise, including data exfiltration, installation of backdoors, or lateral movement. The CIA impact is complete: confidentiality, integrity, and availability are all at risk [1].
Mitigation
The Raynet advisory RSEC200966 recommends updating to RayVentory Scan Engine 12.6 Update 9 or later. If patching is not immediately possible, ensure that the ForbiddenCurlChars configuration property in /etc/rvia_configuration is set to restrict dangerous characters, and set the javaPaths option in /opt/rvia/rvia.cfg to a safe default to avoid the find command search path. However, these workarounds only partially mitigate the injection points; a vendor patch is the only complete fix [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =12.6
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.