Login Sign Up

CVE-2025-5525

5.6 MEDIUM
Remote Code Execution

📋 TL;DR

CVE-2025-5525 is a critical command injection vulnerability in Jrohy trojan versions up to 2.15.3. Attackers can execute arbitrary operating system commands remotely by manipulating the LogChan function's argument. This affects all users running vulnerable versions of Jrohy trojan.

💻 Affected Systems

Products:
  • Jrohy trojan
Versions: Up to and including 2.15.3
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is in the trojan/util/linux.go file and affects the LogChan function. All default configurations are vulnerable.

📦 What is this software?

Trojan by Jrohy

View all CVEs affecting Trojan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, install additional malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to backdoor installation, data theft, or cryptocurrency mining malware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place to detect and contain exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Public proof-of-concept code exists, and exploitation can be initiated remotely without authentication, though the complexity is rated as medium.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. Consider removing Jrohy trojan from affected systems or implementing workarounds.

🔧 Temporary Workarounds

Remove Jrohy trojan

linux

Uninstall Jrohy trojan from affected systems to eliminate the vulnerability.

sudo systemctl stop jrohy-trojan
sudo apt remove jrohy-trojan || sudo yum remove jrohy-trojan

Network isolation

linux

Restrict network access to Jrohy trojan instances using firewall rules.

sudo iptables -A INPUT -p tcp --dport [JROHY_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems
  • Deploy endpoint detection and response (EDR) tools to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Jrohy trojan version. If it is 2.15.3 or earlier, the system is vulnerable.

Check Version:

jrohy-trojan --version || dpkg -l | grep jrohy-trojan || rpm -qa | grep jrohy-trojan

Verify Fix Applied:

Verify that Jrohy trojan has been removed or updated to a version above 2.15.3.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Suspicious process creation from Jrohy trojan

Network Indicators:

  • Unexpected outbound connections from Jrohy trojan instances
  • Anomalous traffic patterns to/from trojan ports

SIEM Query:

process_name:"jrohy-trojan" AND (event_type:"process_creation" OR cmdline:*sh*)

📊 Metadata

CVE ID: CVE-2025-5525
CVSS v3 Score: 5.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77
EPSS Score: 0.33% exploit probability (55.3th percentile)
Published: June 3, 2025
Last Updated: June 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5525, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)