CVE-2025-5834 (GCVE-0-2025-5834)

Vulnerability from cvelistv5 – Published: 2025-06-25 17:58 – Updated: 2025-06-25 18:25
VLAI?
Summary
Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-26078.
Severity ?
4.4 (Medium)
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-1326 - Missing Immutable Root of Trust in Hardware
Assigner
zdi
References
Impacted products
Vendor Product Version
Pioneer DMH-WT7600NEX Affected: 3.05
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5834",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T18:24:52.453170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T18:25:01.536Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "DMH-WT7600NEX",
          "vendor": "Pioneer",
          "versions": [
            {
              "status": "affected",
              "version": "3.05"
            }
          ]
        }
      ],
      "dateAssigned": "2025-06-06T19:40:50.233Z",
      "datePublic": "2025-06-11T17:29:49.034Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-26078."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1326",
              "description": "CWE-1326: Missing Immutable Root of Trust in Hardware",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T17:58:03.727Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-351",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-351/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Dmitry \"InfoSecDJ\" Janushkevich of Trend Micro Zero Day Initiative"
      },
      "title": "Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-5834",
    "datePublished": "2025-06-25T17:58:03.727Z",
    "dateReserved": "2025-06-06T19:40:50.204Z",
    "dateUpdated": "2025-06-25T18:25:01.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5834\",\"sourceIdentifier\":\"zdi-disclosures@trendmicro.com\",\"published\":\"2025-06-25T18:15:24.337\",\"lastModified\":\"2025-07-08T14:51:29.567\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\\n\\nThe specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-26078.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de escalada de privilegios locales de hardware: falta de ra\u00edz de confianza inmutable en el dispositivo Pioneer DMH-WT7600NEX. Esta vulnerabilidad permite a atacantes locales eludir la autenticaci\u00f3n en las instalaciones afectadas de los dispositivos Pioneer DMH-WT7600NEX. Si bien se requiere autenticaci\u00f3n para explotar esta vulnerabilidad, el mecanismo de autenticaci\u00f3n existente puede eludirse. La falla espec\u00edfica se encuentra en la configuraci\u00f3n del sistema en chip (SoC) de la aplicaci\u00f3n. El problema se debe a la falta de una ra\u00edz de confianza de hardware correctamente configurada. Un atacante puede aprovechar esta vulnerabilidad para escalar privilegios y ejecutar c\u00f3digo arbitrario durante el arranque. Anteriormente, se denomin\u00f3 ZDI-CAN-26078.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1326\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:pioneer:dmh-wt7600nex_firmware:3.05:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE9170F1-CDF6-49D5-9501-A3DA09D419CB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:pioneer:dmh-wt7600nex:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9082E28-D451-488C-A621-4A174B887EB3\"}]}]}],\"references\":[{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-25-351/\",\"source\":\"zdi-disclosures@trendmicro.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5834\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-25T18:24:52.453170Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-25T18:24:55.726Z\"}}], \"cna\": {\"title\": \"Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability\", \"source\": {\"lang\": \"en\", \"value\": \"Dmitry \\\"InfoSecDJ\\\" Janushkevich of Trend Micro Zero Day Initiative\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 4.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N\"}}], \"affected\": [{\"vendor\": \"Pioneer\", \"product\": \"DMH-WT7600NEX\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.05\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-06-11T17:29:49.034Z\", \"references\": [{\"url\": \"https://www.zerodayinitiative.com/advisories/ZDI-25-351/\", \"name\": \"ZDI-25-351\", \"tags\": [\"x_research-advisory\"]}], \"dateAssigned\": \"2025-06-06T19:40:50.233Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\\n\\nThe specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-26078.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1326\", \"description\": \"CWE-1326: Missing Immutable Root of Trust in Hardware\"}]}], \"providerMetadata\": {\"orgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"shortName\": \"zdi\", \"dateUpdated\": \"2025-06-25T17:58:03.727Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-5834\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-25T18:25:01.536Z\", \"dateReserved\": \"2025-06-06T19:40:50.204Z\", \"assignerOrgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"datePublished\": \"2025-06-25T17:58:03.727Z\", \"assignerShortName\": \"zdi\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.