CVE-2025-11546
CRITICALCLUSTERPRO X and EXPRESSCLUSTER X for Linux 4.0-5.2 - Unauthenticated OS Command Injection
Title source: llmDescription
CLUSTERPRO X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 and EXPRESSCLUSTER X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, CLUSTERPRO X SingleServerSafe for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, EXPRESSCLUSTER X SingleServerSafe for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 allows an attacker sends specially crafted network packets to the product, arbitrary OS commands may be executed without authentication.
References (1)
Core 1
Core References
Various Sources
https://jpn.nec.com/security-info/secinfo/nv25-006_en.html
Scores
CVSS v4
9.3
EPSS
0.0040
EPSS Percentile
31.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
NEC Corporation/CLUSTERPRO X for Linux (EXPRESSCLUSTER X for Linux)
4.0, 4.1, 4.2, 5.0, 5.1 and 5.2
NEC Corporation/CLUSTERPRO X SingleServerSafe for Linux (EXPRESSCLUSTER X SingleServerSafe for Linux)
4.0, 4.1, 4.2, 5.0, 5.1 and 5.2
Published
Nov 07, 2025
Tracked Since
Feb 18, 2026