CVE-2025-69600 Raynet CVE debrief

Who should care

System administrators managing Raynet RayVentory/rvia 12.6.4392.49 deployments; security teams responsible for Linux endpoint protection; organizations with multi-user systems where untrusted users have local access and can create directory structures.

Technical summary

The rvia application in version 12.6.4392.49 uses a find command to locate a Java executable. The search criteria in this command is improperly terminated and lacks proper sanitization. A local attacker can create a specially crafted directory structure whose path satisfies the malformed find query. When the application executes its internal search logic, it inadvertently executes arbitrary Java code supplied by the attacker. This represents argument injection rather than traditional PATH manipulation, as the attack targets the application's internal command construction rather than environment variables.

Defensive priority

high

Recommended defensive actions

• Review Raynet support article RVY200865 for official remediation guidance for RayVentory 12.6
• Apply vendor-supplied patches or updates for rvia 12.6.4392.49 as directed by Raynet
• Audit systems for unauthorized Java executables in user-writable directories
• Implement principle of least privilege to restrict local user ability to create crafted directory structures
• Monitor for anomalous find command executions or unexpected Java process spawning by the rvia application

Evidence notes

The CVE description identifies the root cause as an incorrectly constructed find command with improperly terminated search criteria. The supplier's perspective, as captured in the CVE record, attributes this to argument injection in the find command query. Two reference links are provided: a GitHub repository (Wise-Security/CVE-2025-69600) and an official Raynet support article (RVY200865) addressing RayVentory 12.6.

Official resources