A critical vulnerability has been identified in In pig-mesh Pig versions 3.8.2 and below, assigned CVE-2025-63690 with a CVSS score of 9.1. This flaw allows an attacker with access to the system's scheduled task function to execute arbitrary code, potentially leading to a complete compromise of the affected server. Immediate patching is required to prevent unauthorized access, data theft, and service disruption.

The vulnerability exists within the Quartz management function, located in the system management module. The system fails to properly sanitize or restrict the "Invoke Target" field when a user creates or modifies a scheduled task. An authenticated attacker with privileges to access this function can specify an arbitrary Java class and method to be executed by the scheduler. By crafting a malicious payload, the attacker can invoke dangerous classes already present on the system's classpath to achieve remote code execution (RCE) on the underlying server.

This is a critical severity vulnerability with a CVSS score of 9.1. Successful exploitation grants an attacker full control over the application server, allowing for remote code execution with the privileges of the application's service account. The potential business impact includes theft or manipulation of sensitive data processed by the application, deployment of ransomware, lateral movement into the broader corporate network, and complete disruption of business operations reliant on the affected system. The reputational damage and financial costs associated with a breach of this nature are significant.

Immediate Action: Immediately upgrade all instances of In Multiple Products (specifically pig-mesh Pig) to a version higher than 3.8.2. Organizations must check the official vendor security advisory for specific patch details and follow the recommended update procedures. After patching, review system and audit logs for any signs of compromise or suspicious scheduled task creation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Specifically, audit logs for the creation or modification of scheduled tasks within the Quartz management function, paying close attention to the Java classes being invoked. Monitor for unexpected child processes spawned by the application's Java process and scrutinize outbound network traffic from the server for anomalous connections that could indicate command-and-control (C2) activity or data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Strictly limit access to the system management module and the Quartz scheduling function to only essential, highly-trusted administrative personnel.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block requests that attempt to configure scheduled tasks with suspicious or non-standard Java class paths.
• Utilize application whitelisting or an Endpoint Detection and Response (EDR) solution to restrict the commands and processes that the application server is permitted to execute.

Public Exploit Available: false

Given the critical severity of this remote code execution vulnerability, we strongly recommend that organizations prioritize patching all affected systems immediately. While this CVE is not currently listed on the CISA KEV catalog, vulnerabilities of this type are prime candidates for future inclusion once exploitation becomes widespread. If patching cannot be performed immediately, the compensating controls outlined above should be implemented as a matter of urgency to reduce the attack surface and mitigate risk.