A critical vulnerability, identified as CVE-2025-9588, has been discovered in the Iron Mountain Archiving Services Inc. EnVision product. This flaw allows an attacker to execute arbitrary commands on the underlying server, potentially leading to a complete system compromise, data theft, and significant operational disruption. Due to its maximum CVSS score of 10.0, this vulnerability requires immediate attention and remediation.

This vulnerability is an OS Command Injection, which occurs because the EnVision application fails to properly sanitize user-supplied input before passing it to the underlying operating system. An unauthenticated remote attacker can craft a special request containing malicious OS commands. When the application processes this input, it executes the attacker's commands with the same privileges as the application itself, leading to a full compromise of the host system.

This vulnerability is rated as critical severity with a CVSS score of 10.0. A successful exploit would grant an attacker complete control over the server hosting the EnVision software. The potential consequences include unauthorized access to, and exfiltration of, sensitive archived data; modification or deletion of critical records; deployment of ransomware or other malware; and using the compromised system as a foothold to launch further attacks against the internal network. Such an incident could result in severe financial loss, reputational damage, and regulatory penalties.

Immediate Action: Update Iron Mountain Archiving Services Inc. EnVision to the latest version as recommended by the vendor to patch the vulnerability. Before or after patching, it is critical to monitor for exploitation attempts and review system and application access logs for any signs of compromise that may have occurred.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for unusual processes being spawned by the EnVision application's service account, unexpected outbound network connections, and suspicious command-line strings in application and web server logs (e.g., containing characters like ;, |, &, &&, or command syntax like wget, curl).

Compensating Controls: If patching cannot be performed immediately, apply the following compensating controls:

• Restrict network access to the EnVision application interface to only trusted IP addresses and subnets.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block OS command injection payloads.
• Ensure the application is running with the lowest possible user privileges to limit the potential impact of a successful exploit.

Public Exploit Available: false

This vulnerability presents a critical and immediate risk to the organization. Due to its maximum severity score and the potential for complete system takeover, patching all affected instances of Iron Mountain EnVision must be treated as the highest priority. Although not currently listed on the CISA KEV catalog, its characteristics make it a likely candidate for future inclusion. We strongly recommend that all vulnerable systems be identified and updated without delay to prevent a potentially devastating security breach.