CVE-2025-29269

CriticalPublic PoC

Published: 04 December 2025

Published

04 December 2025

Modified

16 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0045 63.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation and sanitization of the vulnerable 'command' parameter in the popen.cgi endpoint.

SI-2 Flaw Remediation good match

prevent

Establishes a risk-based process to identify, prioritize, and remediate the specific flaw in popen.cgi that enables arbitrary OS command execution.

SC-7 Boundary Protection partial match

prevent

Implements boundary protections such as web application firewalls to inspect and block network traffic containing command injection payloads targeting the popen.cgi endpoint.

Security SummaryAI

CVE-2025-29269 is an OS command injection vulnerability affecting ALLNET ALL-RUT22GW version 3.3.8, exploitable via the command parameter in the popen.cgi endpoint. Classified under CWE-78, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By injecting malicious commands through the vulnerable parameter, they can achieve arbitrary operating system command execution on the affected device, enabling full compromise including data theft, modification, or denial of service.

Vendor advisories and further details are available at http://all-rut22gw.com and http://allnet.com, alongside analysis in a blog post on critical vulnerabilities in RUT22GW industrial LTE cellular routers at https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22. The CVE entry does not specify patch availability or mitigation steps.

Details

CWE(s): CWE-78

Affected Products

allnet

all-rut22gw firmware

3.3.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated OS command injection in a public-facing CGI endpoint (popen.cgi), directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the likely Linux-based router.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://all-rut22gw.com
Broken Link · cve@mitre.org
http://allnet.com
Broken Link · cve@mitre.org
https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22
Exploit, Third Party Advisory · cve@mitre.org