CVE-2025-1616
Published: 24 February 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2025-1616 is a critical vulnerability in the FiberHome AN5506-01A ONU GPON RP2511 device, specifically affecting an unknown functionality within the Diagnosis component. The issue arises from OS command injection triggered by manipulating the Destination Address argument, classified under CWE-77 and CWE-78. It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-24.
The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H) on the affected device, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling arbitrary OS command execution through the injected Destination Address argument.
Advisories from VulDB indicate that the exploit has been publicly disclosed and is available for use, with references at https://vuldb.com/?ctiid.296606, https://vuldb.com/?id.296606, and https://vuldb.com/?submit.501483. The vendor was contacted early regarding the disclosure but provided no response, and no patches or specific mitigations are mentioned.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection via the web Diagnosis 'Destination Address' parameter enables exploitation of public-facing application (T1190), indirect command execution through the diagnostic utility (T1202), and arbitrary command execution on the network device akin to CLI abuse (T1059.008).