Common Weakness Enumeration

CWE-77

Allowed-with-Review

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Abstraction: Class · Status: Draft

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

5381 vulnerabilities reference this CWE, most recent first.

CVE-2025-5145 (GCVE-0-2025-5145)

Vulnerability from cvelistv5 – Published: 2025-05-25 05:31 – Updated: 2025-07-11 08:41
VLAI
Title
Netcore POWER13 Query String cgi-bin command injection
Summary
A vulnerability, which was classified as critical, was found in Netcore NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2, NBR200V2 and POWER13 up to 20250508. This affects an unknown part of the file /www/cgi-bin/ of the component Query String Handler. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Credits
ricardo123 (VulDB User) ricardo123 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T17:27:50.760045Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T17:38:57.471Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "NBR1005GPEV2",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "B6V2",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "COVER5",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "NAP830",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "NAP930",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "NBR100V2",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "NBR200V2",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        },
        {
          "modules": [
            "Query String Handler"
          ],
          "product": "POWER13",
          "vendor": "Netcore",
          "versions": [
            {
              "status": "affected",
              "version": "20250508"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ricardo123 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "ricardo123 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in Netcore NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2, NBR200V2 and POWER13 up to 20250508. This affects an unknown part of the file /www/cgi-bin/ of the component Query String Handler. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in Netcore NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2, NBR200V2 and POWER13 bis 20250508 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei /www/cgi-bin/ der Komponente Query String Handler. Dank der Manipulation mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T08:41:34.484Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-310233 | Netcore POWER13 Query String cgi-bin command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.310233"
        },
        {
          "name": "VDB-310233 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.310233"
        },
        {
          "name": "Submit #573492 | Netcore NBR1005GPE;COVER5;NBR100;NBR200;POWER13;B6;NAP930;NAP830  NBR1005GPEV2_V1.3.241107.015153;NBR100V2 V1.3.240614.030928; NBR200V2 V1.3.241127.071246;NAP930 V0.1.241010.141410;NAP830 V0.1.2 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.573492"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Exploo0Osion/netcore_unauth"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://anonymous.4open.science/r/netcore_unauth-7D2E"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-24T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-24T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-07-11T10:46:30.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Netcore POWER13 Query String cgi-bin command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5145",
    "datePublished": "2025-05-25T05:31:04.552Z",
    "dateReserved": "2025-05-24T13:36:56.691Z",
    "dateUpdated": "2025-07-11T08:41:34.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5139 (GCVE-0-2025-5139)

Vulnerability from cvelistv5 – Published: 2025-05-25 01:00 – Updated: 2025-06-11 13:38
VLAI
Title
Qualitor Office 365-type Connection testaConexaoOffice365.php command injection
Summary
A vulnerability was found in Qualitor 8.20/8.24. It has been rated as critical. Affected by this issue is some unknown functionality of the file /html/ad/adconexaooffice365/request/testaConexaoOffice365.php of the component Office 365-type Connection Handler. The manipulation of the argument nmconexao leads to command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 8.20.56 and 8.24.31 is able to address this issue. It is recommended to upgrade the affected component.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.310220 vdb-entrytechnical-description
https://vuldb.com/?ctiid.310220 signaturepermissions-required
https://vuldb.com/?submit.572477 third-party-advisory
https://www.youtube.com/watch?v=Dq4C5s9Uwyo media-coverage
https://gist.githubusercontent.com/MatheuZSecurit… broken-linkexploit
Impacted products
Vendor Product Version
n/a Qualitor Affected: 8.20
Affected: 8.24
Unaffected: 8.20.56
Unaffected: 8.24.31
Credits
matheuzsec (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T17:29:16.473374Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T17:39:10.057Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Office 365-type Connection Handler"
          ],
          "product": "Qualitor",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "8.20"
            },
            {
              "status": "affected",
              "version": "8.24"
            },
            {
              "status": "unaffected",
              "version": "8.20.56"
            },
            {
              "status": "unaffected",
              "version": "8.24.31"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "matheuzsec (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Qualitor 8.20/8.24. It has been rated as critical. Affected by this issue is some unknown functionality of the file /html/ad/adconexaooffice365/request/testaConexaoOffice365.php of the component Office 365-type Connection Handler. The manipulation of the argument nmconexao leads to command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 8.20.56 and 8.24.31 is able to address this issue. It is recommended to upgrade the affected component."
        },
        {
          "lang": "de",
          "value": "Eine kritische Schwachstelle wurde in Qualitor 8.20/8.24 ausgemacht. Davon betroffen ist unbekannter Code der Datei /html/ad/adconexaooffice365/request/testaConexaoOffice365.php der Komponente Office 365-type Connection Handler. Durch das Beeinflussen des Arguments nmconexao mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 8.20.56 and 8.24.31 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.8,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T13:38:12.795Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-310220 | Qualitor Office 365-type Connection testaConexaoOffice365.php command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.310220"
        },
        {
          "name": "VDB-310220 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.310220"
        },
        {
          "name": "Submit #572477 | Qualitor Qualitor Web 8.20. - BD 206 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.572477"
        },
        {
          "tags": [
            "media-coverage"
          ],
          "url": "https://www.youtube.com/watch?v=Dq4C5s9Uwyo"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://gist.githubusercontent.com/MatheuZSecurity/fe221fd5b2e5393abf76be42f11f52c3/raw/e8d9c63885f0b83b3374db3d31dbe2c69c868334/poc.sh"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-23T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-23T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-06-11T15:42:58.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Qualitor Office 365-type Connection testaConexaoOffice365.php command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5139",
    "datePublished": "2025-05-25T01:00:07.429Z",
    "dateReserved": "2025-05-23T18:56:55.098Z",
    "dateUpdated": "2025-06-11T13:38:12.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5126 (GCVE-0-2025-5126)

Vulnerability from cvelistv5 – Published: 2025-05-24 15:00 – Updated: 2025-10-15 13:18
VLAI
Title
Teledyne FLIR AX8 settingsregional.php setDataTime command injection
Summary
A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.310204 vdb-entrytechnical-description
https://vuldb.com/?ctiid.310204 signaturepermissions-required
https://vuldb.com/?submit.570725 third-party-advisory
https://vuldb.com/?submit.572266 third-party-advisory
https://vuldb.com/?submit.572275 third-party-advisory
https://vuldb.com/?submit.572277 third-party-advisory
https://github.com/YZS17/CVE/blob/main/Remote%20C… broken-link
https://github.com/YZS17/CVE/blob/main/Remote%20C… broken-linkexploit
Impacted products
Vendor Product Version
Teledyne FLIR AX8 Affected: 1.46.0
Affected: 1.46.1
Affected: 1.46.2
Affected: 1.46.3
Affected: 1.46.4
Affected: 1.46.5
Affected: 1.46.6
Affected: 1.46.7
Affected: 1.46.8
Affected: 1.46.9
Affected: 1.46.10
Affected: 1.46.11
Affected: 1.46.12
Affected: 1.46.13
Affected: 1.46.14
Affected: 1.46.15
Affected: 1.46.16
Unaffected: 1.49.16
Create a notification for this product.
Credits
XU17 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5126",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-27T14:23:29.951841Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T17:40:27.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.md"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AX8",
          "vendor": "Teledyne FLIR",
          "versions": [
            {
              "status": "affected",
              "version": "1.46.0"
            },
            {
              "status": "affected",
              "version": "1.46.1"
            },
            {
              "status": "affected",
              "version": "1.46.2"
            },
            {
              "status": "affected",
              "version": "1.46.3"
            },
            {
              "status": "affected",
              "version": "1.46.4"
            },
            {
              "status": "affected",
              "version": "1.46.5"
            },
            {
              "status": "affected",
              "version": "1.46.6"
            },
            {
              "status": "affected",
              "version": "1.46.7"
            },
            {
              "status": "affected",
              "version": "1.46.8"
            },
            {
              "status": "affected",
              "version": "1.46.9"
            },
            {
              "status": "affected",
              "version": "1.46.10"
            },
            {
              "status": "affected",
              "version": "1.46.11"
            },
            {
              "status": "affected",
              "version": "1.46.12"
            },
            {
              "status": "affected",
              "version": "1.46.13"
            },
            {
              "status": "affected",
              "version": "1.46.14"
            },
            {
              "status": "affected",
              "version": "1.46.15"
            },
            {
              "status": "affected",
              "version": "1.46.16"
            },
            {
              "status": "unaffected",
              "version": "1.49.16"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "XU17 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \\usr\\www\\application\\models\\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: \"FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities.\""
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in Teledyne FLIR AX8 up to 1.46.16 gefunden. Es geht um die Funktion setDataTime der Datei \\usr\\www\\application\\models\\settingsregional.php. Mittels Manipulieren des Arguments year/month/day/hour/minute mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Ein Upgrade auf Version 1.49.16 ist in der Lage, dieses Problem zu adressieren. Die Aktualisierung der betroffenen Komponente wird empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T13:18:48.138Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-310204 | Teledyne FLIR AX8 settingsregional.php setDataTime command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.310204"
        },
        {
          "name": "VDB-310204 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.310204"
        },
        {
          "name": "Submit #570725 | FLIR AX8 \u003c= 1.46 Remote Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.570725"
        },
        {
          "name": "Submit #572266 | FLIR AX8 \u003c= 1.46 Remote Command Injection (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.572266"
        },
        {
          "name": "Submit #572275 | FLIR AX8 \u003c= 1.46 Remote Command Injection (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.572275"
        },
        {
          "name": "Submit #572277 | FLIR AX8 \u003c= 1.46 Remote Command Injection (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.572277"
        },
        {
          "tags": [
            "broken-link"
          ],
          "url": "https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.md"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24hour.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-23T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-23T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-10-15T15:23:27.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Teledyne FLIR AX8 settingsregional.php setDataTime command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5126",
    "datePublished": "2025-05-24T15:00:10.190Z",
    "dateReserved": "2025-05-23T18:09:10.108Z",
    "dateUpdated": "2025-10-15T13:18:48.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5113 (GCVE-0-2025-5113)

Vulnerability from cvelistv5 – Published: 2025-06-02 07:13 – Updated: 2025-06-02 13:32
VLAI
Title
Authenticated Remote Command Injection in Diviotec NBR IP Cameras
Summary
The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
Vendor Product Version
Diviotec nbr222p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbr222pv Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbr224p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbr225p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbr226p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbf232p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec nbf233p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec ndr252p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Diviotec ndr255p Affected: 0 , ≤ 2.0170.3030 (semver)
Create a notification for this product.
Credits
ONEKEY Research Labs
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5113",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-02T13:32:09.592427Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-02T13:32:28.052Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "nbr222p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbr222pv",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbr224p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbr225p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbr226p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbf232p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "nbf233p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "ndr252p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "ndr255p",
          "vendor": "Diviotec",
          "versions": [
            {
              "lessThanOrEqual": "2.0170.3030",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ONEKEY Research Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used."
            }
          ],
          "value": "The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88 OS Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-02T07:13:54.433Z",
        "orgId": "2d533b80-6e4a-4e20-93e2-171235122846",
        "shortName": "ONEKEY"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.onekey.com/resource/security-advisory-remote-code-execution-on-diviotec-ip-camera-cve-2025-5113"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-04T08:00:00.000Z",
          "value": "Notification email sent to  sales@diviotec.com"
        },
        {
          "lang": "en",
          "time": "2025-04-15T07:00:00.000Z",
          "value": "Notification email sent to  sales@diviotec.com, support@diviotec.com, security@diviotec.com, psirt@diviotec.com, csirt@diviotec.com"
        },
        {
          "lang": "en",
          "time": "2025-04-27T07:00:00.000Z",
          "value": "Notification email sent to  sales@diviotec.com, support@diviotec.com, security@diviotec.com, psirt@diviotec.com, csirt@diviotec.com, and Nexcom personal emails"
        }
      ],
      "title": "Authenticated Remote Command Injection in Diviotec NBR IP Cameras",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846",
    "assignerShortName": "ONEKEY",
    "cveId": "CVE-2025-5113",
    "datePublished": "2025-06-02T07:13:54.433Z",
    "dateReserved": "2025-05-23T06:56:21.453Z",
    "dateUpdated": "2025-06-02T13:32:28.052Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5106 (GCVE-0-2025-5106)

Vulnerability from cvelistv5 – Published: 2025-05-23 12:00 – Updated: 2025-05-23 13:09
VLAI
Title
Fujian Kelixun Filename fax_view.php os command injection
Summary
A vulnerability was found in Fujian Kelixun 1.0. It has been classified as critical. This affects an unknown part of the file /app/fax/fax_view.php of the component Filename Handler. The manipulation of the argument fax_file leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.310083 vdb-entrytechnical-description
https://vuldb.com/?ctiid.310083 signaturepermissions-required
https://vuldb.com/?submit.569404 third-party-advisory
https://github.com/byxs0x0/SQL/issues/2 exploitissue-tracking
Impacted products
Vendor Product Version
Fujian Kelixun Affected: 1.0
Create a notification for this product.
Credits
wanglun (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5106",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-23T13:08:34.197588Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-23T13:09:55.208Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Filename Handler"
          ],
          "product": "Kelixun",
          "vendor": "Fujian",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "wanglun (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Fujian Kelixun 1.0. It has been classified as critical. This affects an unknown part of the file /app/fax/fax_view.php of the component Filename Handler. The manipulation of the argument fax_file leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Fujian Kelixun 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /app/fax/fax_view.php der Komponente Filename Handler. Durch Manipulation des Arguments fax_file mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-23T12:00:09.164Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-310083 | Fujian Kelixun Filename fax_view.php os command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.310083"
        },
        {
          "name": "VDB-310083 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.310083"
        },
        {
          "name": "Submit #569404 | Fujian Kelixun Communication Co., Ltd Command and dispatch management platform v1.0 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.569404"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/byxs0x0/SQL/issues/2"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-23T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-23T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-23T08:31:04.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Fujian Kelixun Filename fax_view.php os command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5106",
    "datePublished": "2025-05-23T12:00:09.164Z",
    "dateReserved": "2025-05-23T06:25:49.278Z",
    "dateUpdated": "2025-05-23T13:09:55.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5030 (GCVE-0-2025-5030)

Vulnerability from cvelistv5 – Published: 2025-05-21 16:31 – Updated: 2025-05-21 19:51
VLAI
Title
Ackites KillWxapkg wxapkg File Parser unpack.go processFile os command injection
Summary
A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.309850 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309850 signaturepermissions-required
https://vuldb.com/?submit.580526 third-party-advisory
https://github.com/Ackites/KillWxapkg/issues/85 issue-tracking
https://github.com/Ackites/KillWxapkg/issues/85#i… exploitissue-tracking
Impacted products
Vendor Product Version
Ackites KillWxapkg Affected: 2.4.0
Affected: 2.4.1
Create a notification for this product.
Credits
zznQ (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5030",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T19:51:30.440762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T19:51:50.194Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Ackites/KillWxapkg/issues/85"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "wxapkg File Parser"
          ],
          "product": "KillWxapkg",
          "vendor": "Ackites",
          "versions": [
            {
              "status": "affected",
              "version": "2.4.0"
            },
            {
              "status": "affected",
              "version": "2.4.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "zznQ (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In Ackites KillWxapkg bis 2.4.1 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Es geht um die Funktion processFile der Datei internal/unpack/unpack.go der Komponente wxapkg File Parser. Mit der Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Das Ausnutzen gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.1,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T16:31:04.911Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309850 | Ackites KillWxapkg wxapkg File Parser unpack.go processFile os command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309850"
        },
        {
          "name": "VDB-309850 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309850"
        },
        {
          "name": "Submit #580526 | KillWxapkg v2.4.1 OS Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.580526"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/Ackites/KillWxapkg/issues/85"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/Ackites/KillWxapkg/issues/85#issue-3052039180"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-21T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-21T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-21T13:03:43.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Ackites KillWxapkg wxapkg File Parser unpack.go processFile os command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5030",
    "datePublished": "2025-05-21T16:31:04.911Z",
    "dateReserved": "2025-05-21T10:58:36.066Z",
    "dateUpdated": "2025-05-21T19:51:50.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5000 (GCVE-0-2025-5000)

Vulnerability from cvelistv5 – Published: 2025-05-20 21:00 – Updated: 2025-05-21 14:00
VLAI
Title
Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi control_panel_sw command injection
Summary
A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.309651 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309651 signaturepermissions-required
https://vuldb.com/?submit.565992 third-party-advisory
https://github.com/CH13hh/tmp_store_cc/blob/main/… exploit
https://www.linksys.com/ product
Impacted products
Vendor Product Version
Linksys FGW3000-AH Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3
Affected: 1.0.4
Affected: 1.0.5
Affected: 1.0.6
Affected: 1.0.7
Affected: 1.0.8
Affected: 1.0.9
Affected: 1.0.10
Affected: 1.0.11
Affected: 1.0.12
Affected: 1.0.13
Affected: 1.0.14
Affected: 1.0.15
Affected: 1.0.16
Affected: 1.0.17.000000
Create a notification for this product.
Linksys FGW3000-HK Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3
Affected: 1.0.4
Affected: 1.0.5
Affected: 1.0.6
Affected: 1.0.7
Affected: 1.0.8
Affected: 1.0.9
Affected: 1.0.10
Affected: 1.0.11
Affected: 1.0.12
Affected: 1.0.13
Affected: 1.0.14
Affected: 1.0.15
Affected: 1.0.16
Affected: 1.0.17.000000
Create a notification for this product.
Credits
CH13hh (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5000",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T14:00:04.070125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T14:00:13.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "FGW3000-AH",
          "vendor": "Linksys",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            },
            {
              "status": "affected",
              "version": "1.0.4"
            },
            {
              "status": "affected",
              "version": "1.0.5"
            },
            {
              "status": "affected",
              "version": "1.0.6"
            },
            {
              "status": "affected",
              "version": "1.0.7"
            },
            {
              "status": "affected",
              "version": "1.0.8"
            },
            {
              "status": "affected",
              "version": "1.0.9"
            },
            {
              "status": "affected",
              "version": "1.0.10"
            },
            {
              "status": "affected",
              "version": "1.0.11"
            },
            {
              "status": "affected",
              "version": "1.0.12"
            },
            {
              "status": "affected",
              "version": "1.0.13"
            },
            {
              "status": "affected",
              "version": "1.0.14"
            },
            {
              "status": "affected",
              "version": "1.0.15"
            },
            {
              "status": "affected",
              "version": "1.0.16"
            },
            {
              "status": "affected",
              "version": "1.0.17.000000"
            }
          ]
        },
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "FGW3000-HK",
          "vendor": "Linksys",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            },
            {
              "status": "affected",
              "version": "1.0.4"
            },
            {
              "status": "affected",
              "version": "1.0.5"
            },
            {
              "status": "affected",
              "version": "1.0.6"
            },
            {
              "status": "affected",
              "version": "1.0.7"
            },
            {
              "status": "affected",
              "version": "1.0.8"
            },
            {
              "status": "affected",
              "version": "1.0.9"
            },
            {
              "status": "affected",
              "version": "1.0.10"
            },
            {
              "status": "affected",
              "version": "1.0.11"
            },
            {
              "status": "affected",
              "version": "1.0.12"
            },
            {
              "status": "affected",
              "version": "1.0.13"
            },
            {
              "status": "affected",
              "version": "1.0.14"
            },
            {
              "status": "affected",
              "version": "1.0.15"
            },
            {
              "status": "affected",
              "version": "1.0.16"
            },
            {
              "status": "affected",
              "version": "1.0.17.000000"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "CH13hh (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in Linksys FGW3000-AH and FGW3000-HK bis 1.0.17.000000 ausgemacht. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion control_panel_sw der Datei /cgi-bin/sysconf.cgi der Komponente HTTP POST Request Handler. Dank Manipulation des Arguments filename mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T21:00:12.784Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309651 | Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi control_panel_sw command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309651"
        },
        {
          "name": "VDB-309651 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309651"
        },
        {
          "name": "Submit #565992 | Linksys Holdings, Inc. FGW3000-AH/FGW3000-HK \u003c=Ver. 1.0.17.000000 Service parameter injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.565992"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/CH13hh/tmp_store_cc/blob/main/FGW3000/2.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.linksys.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-20T15:06:47.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi control_panel_sw command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-5000",
    "datePublished": "2025-05-20T21:00:12.784Z",
    "dateReserved": "2025-05-20T13:01:36.722Z",
    "dateUpdated": "2025-05-21T14:00:13.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4999 (GCVE-0-2025-4999)

Vulnerability from cvelistv5 – Published: 2025-05-20 21:00 – Updated: 2025-05-21 14:02
VLAI
Title
Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi sub_4153FC command injection
Summary
A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000 and classified as critical. Affected by this issue is the function sub_4153FC of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument supplicant_rnd_id_en leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.309650 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309650 signaturepermissions-required
https://vuldb.com/?submit.565909 third-party-advisory
https://github.com/CH13hh/tmp_store_cc/blob/main/… broken-linkexploit
https://www.linksys.com/ product
Impacted products
Vendor Product Version
Linksys FGW3000-AH Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3
Affected: 1.0.4
Affected: 1.0.5
Affected: 1.0.6
Affected: 1.0.7
Affected: 1.0.8
Affected: 1.0.9
Affected: 1.0.10
Affected: 1.0.11
Affected: 1.0.12
Affected: 1.0.13
Affected: 1.0.14
Affected: 1.0.15
Affected: 1.0.16
Affected: 1.0.17.000000
Create a notification for this product.
Linksys FGW3000-HK Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3
Affected: 1.0.4
Affected: 1.0.5
Affected: 1.0.6
Affected: 1.0.7
Affected: 1.0.8
Affected: 1.0.9
Affected: 1.0.10
Affected: 1.0.11
Affected: 1.0.12
Affected: 1.0.13
Affected: 1.0.14
Affected: 1.0.15
Affected: 1.0.16
Affected: 1.0.17.000000
Create a notification for this product.
Credits
CH13hh (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4999",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T14:02:08.334988Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T14:02:17.528Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "FGW3000-AH",
          "vendor": "Linksys",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            },
            {
              "status": "affected",
              "version": "1.0.4"
            },
            {
              "status": "affected",
              "version": "1.0.5"
            },
            {
              "status": "affected",
              "version": "1.0.6"
            },
            {
              "status": "affected",
              "version": "1.0.7"
            },
            {
              "status": "affected",
              "version": "1.0.8"
            },
            {
              "status": "affected",
              "version": "1.0.9"
            },
            {
              "status": "affected",
              "version": "1.0.10"
            },
            {
              "status": "affected",
              "version": "1.0.11"
            },
            {
              "status": "affected",
              "version": "1.0.12"
            },
            {
              "status": "affected",
              "version": "1.0.13"
            },
            {
              "status": "affected",
              "version": "1.0.14"
            },
            {
              "status": "affected",
              "version": "1.0.15"
            },
            {
              "status": "affected",
              "version": "1.0.16"
            },
            {
              "status": "affected",
              "version": "1.0.17.000000"
            }
          ]
        },
        {
          "modules": [
            "HTTP POST Request Handler"
          ],
          "product": "FGW3000-HK",
          "vendor": "Linksys",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            },
            {
              "status": "affected",
              "version": "1.0.4"
            },
            {
              "status": "affected",
              "version": "1.0.5"
            },
            {
              "status": "affected",
              "version": "1.0.6"
            },
            {
              "status": "affected",
              "version": "1.0.7"
            },
            {
              "status": "affected",
              "version": "1.0.8"
            },
            {
              "status": "affected",
              "version": "1.0.9"
            },
            {
              "status": "affected",
              "version": "1.0.10"
            },
            {
              "status": "affected",
              "version": "1.0.11"
            },
            {
              "status": "affected",
              "version": "1.0.12"
            },
            {
              "status": "affected",
              "version": "1.0.13"
            },
            {
              "status": "affected",
              "version": "1.0.14"
            },
            {
              "status": "affected",
              "version": "1.0.15"
            },
            {
              "status": "affected",
              "version": "1.0.16"
            },
            {
              "status": "affected",
              "version": "1.0.17.000000"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "CH13hh (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000 and classified as critical. Affected by this issue is the function sub_4153FC of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument supplicant_rnd_id_en leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in Linksys FGW3000-AH and FGW3000-HK bis 1.0.17.000000 gefunden. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion sub_4153FC der Datei /cgi-bin/sysconf.cgi der Komponente HTTP POST Request Handler. Dank der Manipulation des Arguments supplicant_rnd_id_en mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T21:00:11.127Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309650 | Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi sub_4153FC command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309650"
        },
        {
          "name": "VDB-309650 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309650"
        },
        {
          "name": "Submit #565909 | Linksys Holdings, Inc. FGW3000-AH/FGW3000-HK \u003c=Ver. 1.0.17.000000 Command execution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.565909"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://github.com/CH13hh/tmp_store_cc/blob/main/FGW3000/1.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.linksys.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-20T15:06:46.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Linksys FGW3000-AH/FGW3000-HK HTTP POST Request sysconf.cgi sub_4153FC command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4999",
    "datePublished": "2025-05-20T21:00:11.127Z",
    "dateReserved": "2025-05-20T13:01:34.411Z",
    "dateUpdated": "2025-05-21T14:02:17.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4851 (GCVE-0-2025-4851)

Vulnerability from cvelistv5 – Published: 2025-05-18 03:31 – Updated: 2025-05-19 14:28
VLAI
Title
TOTOLINK N300RH cstecgi.cgi setUploadUserData command injection
Summary
A vulnerability classified as critical was found in TOTOLINK N300RH 6.1c.1390_B20191101. This vulnerability affects the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.309322 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309322 signaturepermissions-required
https://vuldb.com/?submit.575074 third-party-advisory
https://github.com/CH13hh/tmp_store_cc/blob/main/… broken-linkexploit
https://www.totolink.net/ product
Impacted products
Vendor Product Version
TOTOLINK N300RH Affected: 6.1c.1390_B20191101
Create a notification for this product.
Credits
DaddyShark (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4851",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:28:49.457478Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T14:28:55.806Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "N300RH",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "6.1c.1390_B20191101"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "DaddyShark (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical was found in TOTOLINK N300RH 6.1c.1390_B20191101. This vulnerability affects the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In TOTOLINK N300RH 6.1c.1390_B20191101 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion setUploadUserData der Datei /cgi-bin/cstecgi.cgi. Mit der Manipulation des Arguments FileName mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-18T03:31:05.521Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309322 | TOTOLINK N300RH cstecgi.cgi setUploadUserData command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309322"
        },
        {
          "name": "VDB-309322 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309322"
        },
        {
          "name": "Submit #575074 | TOTOLINK N300RH_V4 V6.1c.1390_B20191101 Command execution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.575074"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://github.com/CH13hh/tmp_store_cc/blob/main/tt/ta/m3.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-16T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-16T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-16T17:21:58.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK N300RH cstecgi.cgi setUploadUserData command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4851",
    "datePublished": "2025-05-18T03:31:05.521Z",
    "dateReserved": "2025-05-16T15:16:21.822Z",
    "dateUpdated": "2025-05-19T14:28:55.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4850 (GCVE-0-2025-4850)

Vulnerability from cvelistv5 – Published: 2025-05-18 03:00 – Updated: 2025-05-19 14:29
VLAI
Title
TOTOLINK N300RH cstecgi.cgi setUnloadUserData command injection
Summary
A vulnerability classified as critical has been found in TOTOLINK N300RH 6.1c.1390_B20191101. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.309321 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309321 signaturepermissions-required
https://vuldb.com/?submit.575073 third-party-advisory
https://github.com/CH13hh/tmp_store_cc/blob/main/… broken-linkexploit
https://www.totolink.net/ product
Impacted products
Vendor Product Version
TOTOLINK N300RH Affected: 6.1c.1390_B20191101
Create a notification for this product.
Credits
DaddyShark (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4850",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:29:32.930399Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T14:29:39.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "N300RH",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "6.1c.1390_B20191101"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "DaddyShark (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in TOTOLINK N300RH 6.1c.1390_B20191101. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in TOTOLINK N300RH 6.1c.1390_B20191101 entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion setUnloadUserData der Datei /cgi-bin/cstecgi.cgi. Dank Manipulation des Arguments plugin_name mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-18T03:00:09.448Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309321 | TOTOLINK N300RH cstecgi.cgi setUnloadUserData command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309321"
        },
        {
          "name": "VDB-309321 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309321"
        },
        {
          "name": "Submit #575073 | TOTOLINK N300RH_V4 V6.1c.1390_B20191101 Command execution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.575073"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://github.com/CH13hh/tmp_store_cc/blob/main/tt/ta/m2.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-16T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-16T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-16T17:21:33.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK N300RH cstecgi.cgi setUnloadUserData command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4850",
    "datePublished": "2025-05-18T03:00:09.448Z",
    "dateReserved": "2025-05-16T15:16:18.882Z",
    "dateUpdated": "2025-05-19T14:29:39.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Mitigation
Implementation

If possible, ensure that all external commands called from the program are statically created.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Operation

Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.

Mitigation
System Configuration

Assign permissions that prevent the user from accessing/opening privileged files.

CAPEC-136: LDAP Injection

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-183: IMAP/SMTP Command Injection

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

CAPEC-248: Command Injection

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

CAPEC-40: Manipulating Writeable Terminal Devices

This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-75: Manipulating Writeable Configuration Files

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.