CVE-2025-12140

CRITICAL

Java - RCE

Title source: llm

Description

The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353

References (1)

[Various Sources] https://cert.pl/posts/2025/11/CVE-2025-12140/

Scores

CVSS v4 9.3

EPSS 0.0008

EPSS Percentile 22.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-95

Status published

Products (1)

Simple SA/Wirtualna Uczelnia < wu#2016.1.5513#0#20251014_113353

Published Nov 27, 2025

Tracked Since Feb 18, 2026