The U.S. Cybersecurity and Infrastructure Agency (CISA) has issued a advisory warning of a critical in the Megasys Telenium Online Web Application that could lead to remote code execution (RCE) if exploited. Tracked as CVE-2025-10659, the carries a CVSS v3.1 base score of 9.8, making it one of the most severe categories of .
According to the advisory, “The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This occurs due to the insecure termination of a regular expression check within the endpoint.”
Because the input is not properly sanitized, attackers can inject arbitrary operating system commands through a crafted HTTP request. “Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary operating system commands … leading to remote code execution on the server in the context of the web application service account.”
CISA confirmed that the following Megasys product is affected:
- Telenium Online Web Application: Versions 8.4.21 and prior
Megasys Enterprises has already provided a patch, and customers are urged to apply it immediately. Users should access the Megasys support page to get instructions on applying the fix
CISA also advises organizations to adopt standard defense-in-depth strategies to minimize the risk of exploitation:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have and should be updated to the most current version available.
