CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2025-4135 (GCVE-0-2025-4135)
Vulnerability from cvelistv5 – Published: 2025-04-30 17:31 – Updated: 2025-04-30 18:12
VLAI
Title
Netgear WG302v2 ui_get_input_value command injection
Summary
A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.306626 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306626 | signaturepermissions-required |
| https://vuldb.com/?submit.560779 | third-party-advisory |
| https://github.com/jylsec/vuldb/blob/main/Netgear… | patch |
| https://www.netgear.com/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T18:12:09.029886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T18:12:17.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WG302v2",
"vendor": "Netgear",
"versions": [
{
"status": "affected",
"version": "5.2.0"
},
{
"status": "affected",
"version": "5.2.1"
},
{
"status": "affected",
"version": "5.2.2"
},
{
"status": "affected",
"version": "5.2.3"
},
{
"status": "affected",
"version": "5.2.4"
},
{
"status": "affected",
"version": "5.2.5"
},
{
"status": "affected",
"version": "5.2.6"
},
{
"status": "affected",
"version": "5.2.7"
},
{
"status": "affected",
"version": "5.2.8"
},
{
"status": "affected",
"version": "5.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "54357 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Netgear WG302v2 bis 5.2.9 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion ui_get_input_value. Dank Manipulation des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T17:31:04.131Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306626 | Netgear WG302v2 ui_get_input_value command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306626"
},
{
"name": "VDB-306626 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306626"
},
{
"name": "Submit #560779 | Netgear WG302v2 5.2.9 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.560779"
},
{
"tags": [
"patch"
],
"url": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_WG302v2/Command_injection-basic_settings_handler-static-ip-update/README.md"
},
{
"tags": [
"product"
],
"url": "https://www.netgear.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-30T15:04:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "Netgear WG302v2 ui_get_input_value command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4135",
"datePublished": "2025-04-30T17:31:04.131Z",
"dateReserved": "2025-04-30T12:58:57.697Z",
"dateUpdated": "2025-04-30T18:12:17.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41451 (GCVE-0-2025-41451)
Vulnerability from cvelistv5 – Published: 2025-08-22 02:40 – Updated: 2025-08-22 11:25
VLAI
Title
Post-Authentication OS Command Injection RCE in Danfoss AK-SM8xxA Series
Summary
Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command ('Command Injection') in Danfoss AK-SM8xxA Series prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Danfoss | AK-SM8xxA Series |
Affected:
0 , < 4.3.1
(cpe)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T10:59:49.161150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T11:25:28.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AK-SM8xxA Series",
"vendor": "Danfoss",
"versions": [
{
"lessThan": "4.3.1",
"status": "affected",
"version": "0",
"versionType": "cpe"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command (\u0027Command Injection\u0027) in Danfoss AK-SM8xxA Series\u0026nbsp;prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system."
}
],
"value": "Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command (\u0027Command Injection\u0027) in Danfoss AK-SM8xxA Series\u00a0prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T02:40:46.216Z",
"orgId": "d7ff35af-cf88-454c-bab9-af60602f10f8",
"shortName": "Danfoss"
},
"references": [
{
"url": "https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Post-Authentication OS Command Injection RCE in Danfoss AK-SM8xxA Series",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "d7ff35af-cf88-454c-bab9-af60602f10f8",
"assignerShortName": "Danfoss",
"cveId": "CVE-2025-41451",
"datePublished": "2025-08-22T02:40:46.216Z",
"dateReserved": "2025-04-16T10:32:42.818Z",
"dateUpdated": "2025-08-22T11:25:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41721 (GCVE-0-2025-41721)
Vulnerability from cvelistv5 – Published: 2025-10-22 06:55 – Updated: 2025-10-22 13:31
VLAI
Title
Sauter: Command Injection
Summary
A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sauter | modulo 6 devices modu680-AS |
Affected:
0.0.0 , < Firmware v3.2.0
(semver)
|
|
| Sauter | modulo 6 devices modu660-AS |
Affected:
0.0.0 , < Firmware v3.2.0
(semver)
|
|
| Sauter | modulo 6 devices modu612-LC |
Affected:
0.0.0 , < Firmware v3.2.0
(semver)
|
|
| Sauter | EY-modulo 5 modu 5 modu524 |
Affected:
0.0 , < Firmware v6.0
(semver)
|
|
| Sauter | EY-modulo 5 modu 5 modu525 |
Affected:
0.0 , < Firmware v6.0
(semver)
|
|
| Sauter | EY-modulo 5 ecos 5 ecos504/505 |
Affected:
0.0 , < Firmware v6.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:31:24.266594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:31:30.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "modulo 6 devices modu680-AS",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v3.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "modulo 6 devices modu660-AS",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v3.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "modulo 6 devices modu612-LC",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v3.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EY-modulo 5 modu 5 modu524",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v6.0",
"status": "affected",
"version": "0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EY-modulo 5 modu 5 modu525",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v6.0",
"status": "affected",
"version": "0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EY-modulo 5 ecos 5 ecos504/505",
"vendor": "Sauter",
"versions": [
{
"lessThan": "Firmware v6.0",
"status": "affected",
"version": "0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Damian Pfammatter, Daniel Hulliger from Cyber-Defence Campus armasuisse S+T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate."
}
],
"value": "A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77:Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T06:55:22.860Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json"
}
],
"source": {
"advisory": "VDE-2025-060",
"defect": [
"CERT@VDE#641818"
],
"discovery": "UNKNOWN"
},
"title": "Sauter: Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41721",
"datePublished": "2025-10-22T06:55:22.860Z",
"dateReserved": "2025-04-16T11:17:48.317Z",
"dateUpdated": "2025-10-22T13:31:30.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4231 (GCVE-0-2025-4231)
Vulnerability from cvelistv5 – Published: 2025-06-12 23:27 – Updated: 2026-02-26 17:50
VLAI
Title
PAN-OS: Authenticated Admin Command Injection Vulnerability in the Management Web Interface
Summary
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user.
The attacker must have network access to the management web interface and successfully authenticate to exploit this issue.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2025-4231 | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW |
Unaffected:
All , < 6.3.3
(custom)
|
|
| Palo Alto Networks | PAN-OS |
Unaffected:
11.2.0
(custom)
Unaffected: 11.1.0 (custom) Affected: 11.0.0 , < 11.0.3 (custom) Affected: 10.2.0 , < 10.2.8 (custom) Affected: 10.1.0 (custom) cpe:2.3:o:palo_alto_networks:pan-os:11.0.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.0.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:11.0.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:* cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:* |
|
| Palo Alto Networks | Prisma Access |
Unaffected:
All
(custom)
|
Date Public
2025-06-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T03:55:19.943513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:39.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud NGFW",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "6.3.3",
"status": "unaffected"
}
],
"lessThan": "6.3.3",
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:palo_alto_networks:pan-os:11.0.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*",
"cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "11.2.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "11.1.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.3",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "10.2.8",
"status": "unaffected"
}
],
"lessThan": "10.2.8",
"status": "affected",
"version": "10.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Prisma Access",
"vendor": "Palo Alto Networks",
"versions": [
{
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eDirectly; or\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThrough a dataplane interface that includes a management interface profile.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\u003c/p\u003e\u003cp\u003eUse the following steps to identify your recently detected devices in our internet scans.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eTo find any assets that require remediation, visit the Assets section of the Customer Support Portal:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com/\"\u003ehttps://support.paloaltonetworks.com\u003c/a\u003e\u0026nbsp;and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eReview the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\u003cbr\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u003cp\u003eGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443).\u003c/p\u003e\u003c/div\u003e\u003cb\u003e\u003cp\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\n\n * Directly; or\n\n\n * Through a dataplane interface that includes a management interface profile.\n\n\nYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\n\nUse the following steps to identify your recently detected devices in our internet scans.\n\n * To find any assets that require remediation, visit the Assets section of the Customer Support Portal: https://support.paloaltonetworks.com https://support.paloaltonetworks.com/ \u00a0and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\n\n\n * Review the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\n\n\n\nGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443)."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "spcnvdr"
}
],
"datePublic": "2025-06-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection vulnerability in Palo Alto Networks PAN-OS\u00ae enables an authenticated administrative user to perform actions as the root user.\u003cbr\u003e\u003cbr\u003eThe attacker must have network access to the management web interface and successfully authenticate to exploit this issue.\u003cbr\u003e\u003cbr\u003eCloud NGFW and Prisma Access are not impacted by this vulnerability."
}
],
"value": "A command injection vulnerability in Palo Alto Networks PAN-OS\u00ae enables an authenticated administrative user to perform actions as the root user.\n\nThe attacker must have network access to the management web interface and successfully authenticate to exploit this issue.\n\nCloud NGFW and Prisma Access are not impacted by this vulnerability."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "The risk is highest when you allow access to the management interface from external IP addresses on the internet."
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "You can greatly reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses."
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T23:27:31.432Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2025-4231"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 11.0*\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e11.0.0 through 11.0.2\u003c/td\u003e\n \u003ctd\u003eUpgrade to 11.0.3 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\n \u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e10.2.0 through 10.2.7\u003c/td\u003e\n \u003ctd\u003eUpgrade to 10.2.8 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.8 or 11.0.3 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cp\u003e*PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version.\u003c/p\u003e"
}
],
"value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\nNo action needed.PAN-OS 11.1\nNo action needed.\n PAN-OS 11.0*\n\n 11.0.0 through 11.0.2\n Upgrade to 11.0.3 or later.\n \n PAN-OS 10.2\n\n 10.2.0 through 10.2.7\n Upgrade to 10.2.8 or later.\n PAN-OS 10.1Upgrade to 10.2.8 or 11.0.3 or later.All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\n*PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version."
}
],
"source": {
"defect": [
"PAN-215223"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-06-11T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "PAN-OS: Authenticated Admin Command Injection Vulnerability in the Management Web Interface",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eRecommended mitigation\u003c/b\u003e\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ecritical deployment guidelines\u003c/a\u003e. Specifically, you should restrict management interface access to only trusted internal IP addresses.\u003c/p\u003e\u003cp\u003eReview more information about how to secure management access to your Palo Alto Networks firewalls in these documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks LIVEcommunity article: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ehttps://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks official and detailed technical documentation: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n\n\n\n\n * Palo Alto Networks official and detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices"
}
],
"x_affectedList": [
"PAN-OS 11.0.2-h5",
"PAN-OS 11.0.2-h4",
"PAN-OS 11.0.2-h3",
"PAN-OS 11.0.2-h2",
"PAN-OS 11.0.2-h1",
"PAN-OS 11.0.2",
"PAN-OS 11.0.1-h5",
"PAN-OS 11.0.1-h4",
"PAN-OS 11.0.1-h3",
"PAN-OS 11.0.1-h2",
"PAN-OS 11.0.1-h1",
"PAN-OS 11.0.1",
"PAN-OS 11.0.0-h4",
"PAN-OS 11.0.0-h3",
"PAN-OS 11.0.0-h2",
"PAN-OS 11.0.0-h1",
"PAN-OS 11.0.0",
"PAN-OS 10.2.7-h24",
"PAN-OS 10.2.7-h23",
"PAN-OS 10.2.7-h22",
"PAN-OS 10.2.7-h21",
"PAN-OS 10.2.7-h20",
"PAN-OS 10.2.7-h19",
"PAN-OS 10.2.7-h18",
"PAN-OS 10.2.7-h17",
"PAN-OS 10.2.7-h16",
"PAN-OS 10.2.7-h15",
"PAN-OS 10.2.7-h14",
"PAN-OS 10.2.7-h13",
"PAN-OS 10.2.7-h12",
"PAN-OS 10.2.7-h11",
"PAN-OS 10.2.7-h10",
"PAN-OS 10.2.7-h9",
"PAN-OS 10.2.7-h8",
"PAN-OS 10.2.7-h7",
"PAN-OS 10.2.7-h6",
"PAN-OS 10.2.7-h5",
"PAN-OS 10.2.7-h4",
"PAN-OS 10.2.7-h3",
"PAN-OS 10.2.7-h2",
"PAN-OS 10.2.7-h1",
"PAN-OS 10.2.7",
"PAN-OS 10.2.6-h6",
"PAN-OS 10.2.6-h5",
"PAN-OS 10.2.6-h4",
"PAN-OS 10.2.6-h3",
"PAN-OS 10.2.6-h2",
"PAN-OS 10.2.6-h1",
"PAN-OS 10.2.6",
"PAN-OS 10.2.5-h9",
"PAN-OS 10.2.5-h8",
"PAN-OS 10.2.5-h7",
"PAN-OS 10.2.5-h6",
"PAN-OS 10.2.5-h5",
"PAN-OS 10.2.5-h4",
"PAN-OS 10.2.5-h3",
"PAN-OS 10.2.5-h2",
"PAN-OS 10.2.5-h1",
"PAN-OS 10.2.5",
"PAN-OS 10.2.4-h32",
"PAN-OS 10.2.4-h31",
"PAN-OS 10.2.4-h30",
"PAN-OS 10.2.4-h29",
"PAN-OS 10.2.4-h28",
"PAN-OS 10.2.4-h27",
"PAN-OS 10.2.4-h26",
"PAN-OS 10.2.4-h25",
"PAN-OS 10.2.4-h24",
"PAN-OS 10.2.4-h23",
"PAN-OS 10.2.4-h22",
"PAN-OS 10.2.4-h21",
"PAN-OS 10.2.4-h20",
"PAN-OS 10.2.4-h19",
"PAN-OS 10.2.4-h18",
"PAN-OS 10.2.4-h17",
"PAN-OS 10.2.4-h16",
"PAN-OS 10.2.4-h15",
"PAN-OS 10.2.4-h14",
"PAN-OS 10.2.4-h13",
"PAN-OS 10.2.4-h12",
"PAN-OS 10.2.4-h11",
"PAN-OS 10.2.4-h10",
"PAN-OS 10.2.4-h9",
"PAN-OS 10.2.4-h8",
"PAN-OS 10.2.4-h7",
"PAN-OS 10.2.4-h6",
"PAN-OS 10.2.4-h5",
"PAN-OS 10.2.4-h4",
"PAN-OS 10.2.4-h3",
"PAN-OS 10.2.4-h2",
"PAN-OS 10.2.4-h1",
"PAN-OS 10.2.4",
"PAN-OS 10.2.3-h14",
"PAN-OS 10.2.3-h13",
"PAN-OS 10.2.3-h12",
"PAN-OS 10.2.3-h11",
"PAN-OS 10.2.3-h10",
"PAN-OS 10.2.3-h9",
"PAN-OS 10.2.3-h8",
"PAN-OS 10.2.3-h7",
"PAN-OS 10.2.3-h6",
"PAN-OS 10.2.3-h5",
"PAN-OS 10.2.3-h4",
"PAN-OS 10.2.3-h3",
"PAN-OS 10.2.3-h2",
"PAN-OS 10.2.3-h1",
"PAN-OS 10.2.3",
"PAN-OS 10.2.2-h6",
"PAN-OS 10.2.2-h5",
"PAN-OS 10.2.2-h4",
"PAN-OS 10.2.2-h3",
"PAN-OS 10.2.2-h2",
"PAN-OS 10.2.2-h1",
"PAN-OS 10.2.2",
"PAN-OS 10.2.1-h3",
"PAN-OS 10.2.1-h2",
"PAN-OS 10.2.1-h1",
"PAN-OS 10.2.1",
"PAN-OS 10.2.0-h4",
"PAN-OS 10.2.0-h3",
"PAN-OS 10.2.0-h2",
"PAN-OS 10.2.0-h1",
"PAN-OS 10.2.0",
"PAN-OS 10.1.14-h14",
"PAN-OS 10.1.14-h13",
"PAN-OS 10.1.14-h11",
"PAN-OS 10.1.14-h10",
"PAN-OS 10.1.14-h9",
"PAN-OS 10.1.14-h8",
"PAN-OS 10.1.14-h7",
"PAN-OS 10.1.14-h6",
"PAN-OS 10.1.14-h5",
"PAN-OS 10.1.14-h4",
"PAN-OS 10.1.14-h3",
"PAN-OS 10.1.14-h2",
"PAN-OS 10.1.14-h1",
"PAN-OS 10.1.14",
"PAN-OS 10.1.13-h5",
"PAN-OS 10.1.13-h4",
"PAN-OS 10.1.13-h3",
"PAN-OS 10.1.13-h2",
"PAN-OS 10.1.13-h1",
"PAN-OS 10.1.13",
"PAN-OS 10.1.12-h3",
"PAN-OS 10.1.12-h2",
"PAN-OS 10.1.12-h1",
"PAN-OS 10.1.12",
"PAN-OS 10.1.11-h10",
"PAN-OS 10.1.11-h9",
"PAN-OS 10.1.11-h8",
"PAN-OS 10.1.11-h7",
"PAN-OS 10.1.11-h6",
"PAN-OS 10.1.11-h5",
"PAN-OS 10.1.11-h4",
"PAN-OS 10.1.11-h3",
"PAN-OS 10.1.11-h2",
"PAN-OS 10.1.11-h1",
"PAN-OS 10.1.11",
"PAN-OS 10.1.10-h9",
"PAN-OS 10.1.10-h8",
"PAN-OS 10.1.10-h7",
"PAN-OS 10.1.10-h6",
"PAN-OS 10.1.10-h5",
"PAN-OS 10.1.10-h4",
"PAN-OS 10.1.10-h3",
"PAN-OS 10.1.10-h2",
"PAN-OS 10.1.10-h1",
"PAN-OS 10.1.10",
"PAN-OS 10.1.9-h14",
"PAN-OS 10.1.9-h13",
"PAN-OS 10.1.9-h12",
"PAN-OS 10.1.9-h11",
"PAN-OS 10.1.9-h10",
"PAN-OS 10.1.9-h9",
"PAN-OS 10.1.9-h8",
"PAN-OS 10.1.9-h7",
"PAN-OS 10.1.9-h6",
"PAN-OS 10.1.9-h5",
"PAN-OS 10.1.9-h4",
"PAN-OS 10.1.9-h3",
"PAN-OS 10.1.9-h2",
"PAN-OS 10.1.9-h1",
"PAN-OS 10.1.9",
"PAN-OS 10.1.8-h8",
"PAN-OS 10.1.8-h7",
"PAN-OS 10.1.8-h6",
"PAN-OS 10.1.8-h5",
"PAN-OS 10.1.8-h4",
"PAN-OS 10.1.8-h3",
"PAN-OS 10.1.8-h2",
"PAN-OS 10.1.8-h1",
"PAN-OS 10.1.8",
"PAN-OS 10.1.7-h1",
"PAN-OS 10.1.7",
"PAN-OS 10.1.6-h9",
"PAN-OS 10.1.6-h8",
"PAN-OS 10.1.6-h7",
"PAN-OS 10.1.6-h6",
"PAN-OS 10.1.6-h5",
"PAN-OS 10.1.6-h4",
"PAN-OS 10.1.6-h3",
"PAN-OS 10.1.6-h2",
"PAN-OS 10.1.6-h1",
"PAN-OS 10.1.6",
"PAN-OS 10.1.5-h4",
"PAN-OS 10.1.5-h3",
"PAN-OS 10.1.5-h2",
"PAN-OS 10.1.5-h1",
"PAN-OS 10.1.5",
"PAN-OS 10.1.4-h6",
"PAN-OS 10.1.4-h5",
"PAN-OS 10.1.4-h4",
"PAN-OS 10.1.4-h3",
"PAN-OS 10.1.4-h2",
"PAN-OS 10.1.4-h1",
"PAN-OS 10.1.4",
"PAN-OS 10.1.3-h4",
"PAN-OS 10.1.3-h3",
"PAN-OS 10.1.3-h2",
"PAN-OS 10.1.3-h1",
"PAN-OS 10.1.3",
"PAN-OS 10.1.2",
"PAN-OS 10.1.1",
"PAN-OS 10.1.0"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2025-4231",
"datePublished": "2025-06-12T23:27:31.432Z",
"dateReserved": "2025-05-02T19:10:44.240Z",
"dateUpdated": "2026-02-26T17:50:39.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4340 (GCVE-0-2025-4340)
Vulnerability from cvelistv5 – Published: 2025-05-06 08:00 – Updated: 2025-05-06 13:53 Unsupported When Assigned
VLAI
Title
D-Link DIR-890L/DIR-806A1 soap.cgi sub_175C8 command injection
Summary
A vulnerability classified as critical has been found in D-Link DIR-890L and DIR-806A1 up to 100CNb11/108B03. Affected is the function sub_175C8 of the file /htdocs/soap.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307458 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307458 | signaturepermissions-required |
| https://vuldb.com/?submit.556092 | third-party-advisory |
| https://github.com/CH13hh/tmp_store_cc/blob/main/… | exploit |
| https://www.dlink.com/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:53:21.760461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:53:27.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/CH13hh/tmp_store_cc/blob/main/tt/1.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DIR-890L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "100CNb11"
},
{
"status": "affected",
"version": "108B03"
}
]
},
{
"product": "DIR-806A1",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "100CNb11"
},
{
"status": "affected",
"version": "108B03"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BabyShark (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in D-Link DIR-890L and DIR-806A1 up to 100CNb11/108B03. Affected is the function sub_175C8 of the file /htdocs/soap.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in D-Link DIR-890L and DIR-806A1 bis 100CNb11/108B03 entdeckt. Dabei betrifft es die Funktion sub_175C8 der Datei /htdocs/soap.cgi. Durch Manipulieren mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T08:00:08.557Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307458 | D-Link DIR-890L/DIR-806A1 soap.cgi sub_175C8 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307458"
},
{
"name": "VDB-307458 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307458"
},
{
"name": "Submit #556092 | D-Link DIR-890 L A1 DIR-806A1 DIR-890 L A1\u003c=108B03 DIR-806A1\u003c=100CNb11 Command execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.556092"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CH13hh/tmp_store_cc/blob/main/tt/1.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T18:57:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DIR-890L/DIR-806A1 soap.cgi sub_175C8 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4340",
"datePublished": "2025-05-06T08:00:08.557Z",
"dateReserved": "2025-05-05T16:51:28.370Z",
"dateUpdated": "2025-05-06T13:53:27.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4341 (GCVE-0-2025-4341)
Vulnerability from cvelistv5 – Published: 2025-05-06 08:31 – Updated: 2025-05-06 13:50 Unsupported When Assigned
VLAI
Title
D-Link DIR-880L Request Header ssdpcgi sub_16570 command injection
Summary
A vulnerability classified as critical was found in D-Link DIR-880L up to 104WWb01. Affected by this vulnerability is the function sub_16570 of the file /htdocs/ssdpcgi of the component Request Header Handler. The manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307459 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307459 | signaturepermissions-required |
| https://vuldb.com/?submit.556433 | third-party-advisory |
| https://github.com/CH13hh/tmp_store_cc/blob/main/… | exploit |
| https://www.dlink.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4341",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:50:32.592082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:50:37.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/CH13hh/tmp_store_cc/blob/main/DIR-880L/1.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Request Header Handler"
],
"product": "DIR-880L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "104WWb01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BabyShark (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in D-Link DIR-880L up to 104WWb01. Affected by this vulnerability is the function sub_16570 of the file /htdocs/ssdpcgi of the component Request Header Handler. The manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "In D-Link DIR-880L bis 104WWb01 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es die Funktion sub_16570 der Datei /htdocs/ssdpcgi der Komponente Request Header Handler. Durch das Beeinflussen des Arguments HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T08:31:05.193Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307459 | D-Link DIR-880L Request Header ssdpcgi sub_16570 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307459"
},
{
"name": "VDB-307459 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307459"
},
{
"name": "Submit #556433 | D-Link DIR-880L \u003c=104WWb01 Command execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.556433"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CH13hh/tmp_store_cc/blob/main/DIR-880L/1.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T18:59:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DIR-880L Request Header ssdpcgi sub_16570 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4341",
"datePublished": "2025-05-06T08:31:05.193Z",
"dateReserved": "2025-05-05T16:54:08.791Z",
"dateUpdated": "2025-05-06T13:50:37.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4349 (GCVE-0-2025-4349)
Vulnerability from cvelistv5 – Published: 2025-05-06 11:31 – Updated: 2025-05-06 13:29 Unsupported When Assigned
VLAI
Title
D-Link DIR-600L formSysCmd command injection
Summary
A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307467 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307467 | signaturepermissions-required |
| https://vuldb.com/?submit.558302 | third-party-advisory |
| https://github.com/jylsec/vuldb/blob/main/D-Link/… | related |
| https://www.dlink.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:29:33.342542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:29:54.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DIR-600L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "2.07B01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "B1Nn (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in D-Link DIR-600L bis 2.07B01 entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion formSysCmd. Mittels Manipulieren des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T11:31:04.439Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307467 | D-Link DIR-600L formSysCmd command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307467"
},
{
"name": "VDB-307467 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307467"
},
{
"name": "Submit #558302 | D-Link DIR-600L 2.07B01 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.558302"
},
{
"tags": [
"related"
],
"url": "https://github.com/jylsec/vuldb/blob/main/D-Link/dlink_dir600l/Command_injection-formSysCmd-sysCmd/README.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T19:04:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DIR-600L formSysCmd command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4349",
"datePublished": "2025-05-06T11:31:04.439Z",
"dateReserved": "2025-05-05T16:58:51.336Z",
"dateUpdated": "2025-05-06T13:29:54.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4350 (GCVE-0-2025-4350)
Vulnerability from cvelistv5 – Published: 2025-05-06 11:31 – Updated: 2025-05-06 13:28 Unsupported When Assigned
VLAI
Title
D-Link DIR-600L wake_on_lan command injection
Summary
A vulnerability classified as critical was found in D-Link DIR-600L up to 2.07B01. This vulnerability affects the function wake_on_lan. The manipulation of the argument host leads to command injection. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307468 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307468 | signaturepermissions-required |
| https://vuldb.com/?submit.558303 | third-party-advisory |
| https://github.com/jylsec/vuldb/blob/main/D-Link/… | related |
| https://www.dlink.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:27:50.355115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:28:48.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DIR-600L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "2.07B01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "B1Nn (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in D-Link DIR-600L up to 2.07B01. This vulnerability affects the function wake_on_lan. The manipulation of the argument host leads to command injection. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "In D-Link DIR-600L bis 2.07B01 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion wake_on_lan. Durch das Manipulieren des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T11:31:06.350Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307468 | D-Link DIR-600L wake_on_lan command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307468"
},
{
"name": "VDB-307468 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307468"
},
{
"name": "Submit #558303 | D-Link DIR-600L 2.07B01 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.558303"
},
{
"tags": [
"related"
],
"url": "https://github.com/jylsec/vuldb/blob/main/D-Link/dlink_dir600l/Command_injection-wake_on_lan-mac/README.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T19:04:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DIR-600L wake_on_lan command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4350",
"datePublished": "2025-05-06T11:31:06.350Z",
"dateReserved": "2025-05-05T16:58:54.023Z",
"dateUpdated": "2025-05-06T13:28:48.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4357 (GCVE-0-2025-4357)
Vulnerability from cvelistv5 – Published: 2025-05-06 13:31 – Updated: 2025-05-06 14:39
VLAI
Title
Tenda RX3 telnet command injection
Summary
A vulnerability was found in Tenda RX3 16.03.13.11_multi. It has been rated as critical. This issue affects some unknown processing of the file /goform/telnet. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
4.7 (Medium)
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307475 | vdb-entry |
| https://vuldb.com/?ctiid.307475 | signaturepermissions-required |
| https://vuldb.com/?submit.564727 | third-party-advisory |
| https://github.com/Ghostsuzhijian/Iot-/blob/main/… | exploit |
| https://www.tenda.com.cn/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4357",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T14:39:31.762587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T14:39:36.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Ghostsuzhijian/Iot-/blob/main/RX3_telnetd/rx3_telnetd.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RX3",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.13.11_multi"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "duojie_0x00 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Tenda RX3 16.03.13.11_multi. It has been rated as critical. This issue affects some unknown processing of the file /goform/telnet. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Tenda RX3 16.03.13.11_multi ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist unbekannter Code der Datei /goform/telnet. Durch die Manipulation mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:31:07.818Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307475 | Tenda RX3 telnet command injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.307475"
},
{
"name": "VDB-307475 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307475"
},
{
"name": "Submit #564727 | Tenda RX3 V16.03.13.11_multi Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.564727"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Ghostsuzhijian/Iot-/blob/main/RX3_telnetd/rx3_telnetd.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T19:16:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda RX3 telnet command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4357",
"datePublished": "2025-05-06T13:31:07.818Z",
"dateReserved": "2025-05-05T17:11:30.503Z",
"dateUpdated": "2025-05-06T14:39:36.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43842 (GCVE-0-2025-43842)
Vulnerability from cvelistv5 – Published: 2025-05-05 17:08 – Updated: 2025-05-05 17:29
VLAI
Title
GHSL-2025-012_Retrieval-based-Voice-Conversion-WebUI
Summary
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and sr2 take user input and pass it to the preprocess_dataset function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_CONFIRM |
| https://github.com/RVC-Project/Retrieval-based-Vo… | x_refsource_MISC |
| https://github.com/RVC-Project/Retrieval-based-Vo… | x_refsource_MISC |
| https://github.com/RVC-Project/Retrieval-based-Vo… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RVC-Project | Retrieval-based-Voice-Conversion-WebUI |
Affected:
<= 2.2.231006
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:29:30.479320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T17:29:51.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Retrieval-based-Voice-Conversion-WebUI",
"vendor": "RVC-Project",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.2.231006"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables\u00a0exp_dir1,\u00a0np7,\u00a0trainset_dir4\u00a0and\u00a0sr2\u00a0take user input and\u00a0pass\u00a0it to the\u00a0preprocess_dataset\u00a0function, which\u00a0concatenates them into a command\u00a0that is\u00a0run\u00a0on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T17:21:05.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2025-012_GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI/"
},
{
"name": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1227-L1232",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L1227-L1232"
},
{
"name": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L223-L232",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L223-L232"
},
{
"name": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L235",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RVC-Project/Retrieval-based-Voice-Conversion-WebUI/blob/7ef19867780cf703841ebafb565a4e47d1ea86ff/infer-web.py#L235"
}
],
"source": {
"advisory": "GHSA-q52g-57pp-q557",
"discovery": "UNKNOWN"
},
"title": "GHSL-2025-012_Retrieval-based-Voice-Conversion-WebUI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43842",
"datePublished": "2025-05-05T17:08:48.481Z",
"dateReserved": "2025-04-17T20:07:08.553Z",
"dateUpdated": "2025-05-05T17:29:51.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- If at all possible, use library calls rather than external processes to recreate the desired functionality.
Mitigation
Phase: Implementation
Description:
- If possible, ensure that all external commands called from the program are statically created.
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Phase: Operation
Description:
- Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
Mitigation
Phase: System Configuration
Description:
- Assign permissions that prevent the user from accessing/opening privileged files.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-183: IMAP/SMTP Command Injection
An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
CAPEC-248: Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.