CVE-2025-28219
Published: 28 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-28219 is an OS command injection vulnerability (CWE-78) in the Netgear DC112A device running firmware version V1.0.0.64. The issue affects the usb_adv.cgi component, where the "deviceName" parameter passed to a binary via a POST request lacks proper input validation, allowing remote attackers to inject and execute arbitrary operating system commands.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Unauthenticated remote attackers can exploit it to gain full control over the device by crafting malicious POST requests to usb_adv.cgi.
A technical analysis of the vulnerability is documented in a PDF available at https://github.com/IdaJea/IOT_vuln_1/blob/master/DC112A_V1.0.0.64/sub_69600.pdf. No official advisories or patches are referenced in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in public-facing usb_adv.cgi enables remote unauthenticated exploitation of the web application (T1190) and direct execution of arbitrary Unix shell commands (T1059.004).