CVE-2025-9494

🗓️ 23 Sep 2025 01:12:17Reported by CarrierType

cve🔗 web.nvd.nist.gov👁 10 Views🌐 WEB

Authenticated command injection in Vitogate 300 via vitogate.cgi form-0-2, enabling code execution.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-9494	23 Sep 202510:00	–	circl
CNNVD	Viessmann Vitogate 300 安全漏洞	23 Sep 202500:00	–	cnnvd
Cvelist	CVE-2025-9494 Viessmann Vitogate 300 OS Command Injection	23 Sep 202501:12	–	cvelist
EUVD	EUVD-2025-30434	3 Oct 202520:07	–	euvd
NVD	CVE-2025-9494	23 Sep 202502:15	–	nvd
Positive Technologies	PT-2025-39103	23 Sep 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-9494	25 Sep 202502:53	–	redhatcve
Vulnrichment	CVE-2025-9494 Viessmann Vitogate 300 OS Command Injection	23 Sep 202501:12	–	vulnrichment
Zero Day Initiative	Viessmann Vitogate 300 BN/MB vitogate.cgi form-0-2 Command Injection Remote Code Execution Vulnerability	1 Oct 202500:00	–	zdi

[
  {
    "defaultStatus": "unaffected",
    "product": "Vitogate 300",
    "vendor": "Viessmann",
    "versions": [
      {
        "lessThan": "3.1.0.0",
        "status": "affected",
        "version": "1",
        "versionType": "SKU"
      }
    ]
  }
]

Source	Link
corporate	www.corporate.carrier.com/product-security/advisories-resources/

Parameter	Position	Path	Description	CWE
form	request body	/cgi-bin/vitogate.cgi	OS command injection through unsanitized input in the form JSON parameter (form-0-2) that is interpolated into a format string used by popen(), enabling authenticated code execution on Vitogate 300.	CWE-78

15 Apr 2026 00:35Current

8High risk

Vulners AI Score8

CVSS 48.5

EPSS0.00246

SSVC

CWE-78