RSEC200966: Command Injection via Unsafe System Calls (CVE-2025-69600)

Advisory ID: RSEC200966

CVE Identifier: CVE-2025-69600

Affected products: RayVentory Scan Engine 12.6 Update 8 and previous versions.

Description

The RayVentory Inventory Agent (rvia) was vulnerable to command injection attacks due to improper sanitization of input parameters passed to external system commands.

Technical Details

  • Vulnerability Type: CWE-77 (Command Injection)
  • Attack Vector: Local
  • Impact: Arbitrary Code Execution (ACE)
  • Mechanism: The agent used unsafe system() and popen() calls to execute shell commands. Input tokens (e.g., hardware serial numbers or file metadata) were not properly escaped, allowing shell metacharacters (;, &, |) to be interpreted as command separators or redirections.

Severity

  • Rating: Critical
  • CVSS Base Score: [Pending]

Remediation

  • Fixed Version: RayVentory Scan Engine 12.6.3800.131 Update 9 (Released Feb 4, 2026)
  • Changes: Replacement of shell-mediated calls with direct process-spawning APIs and a new universal escaping engine for remaining shell interactions.

Credits

Vulnerability identified by Rafael José Núñez Gulías of WSG127.

Global Timeline

  • Validation: January 16, 2026
  • Patch Development: January 29, 2026
  • Public Release: February 4, 2026

More information

For more information, refer to the Changelog (https://docs.raynet.de/rayventory/scan-engine/12.6-u9/Changelog.pdf).

Author: Alex Graf
Created at:
Last updated at:

Comments

Powered by Zendesk