CVE-2025-60021

CRITICAL EXPLOITED RANSOMWARE

Apache bRPC < 1.15.0 - Remote Command Injection via Heap Profiler extra_options Parameter

Title source: llm

Exploitation Summary

CVE-2025-60021 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including Mefhika120, ninjazan420.

AI-analyzed exploit summary This is a functional PoC for CVE-2025-60021, demonstrating unauthenticated remote command execution in Apache bRPC via command injection in the `extra_options` parameter of the `/pprof/heap` endpoint.

Description

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.

Exploits (2)

nomisec WORKING POC

by Mefhika120 · remote

https://github.com/Mefhika120/Ashwesker-CVE-2025-60021

View Code ZIP pw:eip

This is a functional PoC for CVE-2025-60021, demonstrating unauthenticated remote command execution in Apache bRPC via command injection in the `extra_options` parameter of the `/pprof/heap` endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache bRPC < 1.15.0

No auth needed

Prerequisites: Vulnerable Apache bRPC server with heap profiler enabled · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by ninjazan420 · poc

https://github.com/ninjazan420/CVE-2025-60021-PoC-Apache-bRPC-Heap-Profiler-Command-Injection

View Code ZIP pw:eip

This repository contains a detailed writeup for CVE-2025-60021, a command injection vulnerability in Apache bRPC's heap profiler endpoint. It includes attack vectors, payload examples, bypass techniques, and post-exploitation commands.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache bRPC < 1.15.0

No auth needed

Prerequisites: Access to the `/pprof/heap` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2026/01/16/4

Scores

CVSS v3 9.8

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2026-05-01

Ransomware Use Confirmed

CWE

CWE-77

Status published

Products (1)

apache/brpc 1.11.0 - 1.15.0

Published Jan 16, 2026

Tracked Since Feb 18, 2026