CVE-2025-66848

Critical

Published: 30 December 2025

Published

30 December 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0060 69.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws such as this unauthorized remote command execution vulnerability in router firmware.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies, authorizes, and controls actions performable without identification or authentication, preventing unauthorized remote command execution.

SC-7 Boundary Protection good match

prevent

Monitors and controls communications at external interfaces, restricting network access to vulnerable NAS routers and blocking exploitation attempts.

Security SummaryAI

CVE-2025-66848 is an unauthorized remote command execution vulnerability (CWE-94) present in JD Cloud NAS routers. Affected models and versions include AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-30.

Remote attackers with network access to affected routers can exploit this vulnerability without authentication, privileges, or user interaction. Successful exploitation enables arbitrary command execution, potentially leading to high-impact compromise of confidentiality, integrity, and availability on the targeted devices.

Mitigation guidance is available in vendor advisories, including those at http://jd.com, https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2, and https://www.jdcloud.com/cn/.

Details

CWE(s): CWE-94

Affected Products

jdcloud

ax1800 firmware

≤ 4.3.1.r4308

jdcloud

ax3000 firmware

≤ 4.3.1.r4318

jdcloud

ax6600 firmware

≤ 4.5.1.r4533

jdcloud

be6500 firmware

≤ 4.4.1.r4308

jdcloud

er1 firmware

≤ 4.5.1.r4518

jdcloud

er2 firmware

≤ 4.5.1.r4518

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthorized remote command execution (RCE) on public-facing JD Cloud NAS routers without authentication, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://jd.com
Not Applicable · cve@mitre.org
https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2
Permissions Required · cve@mitre.org
https://www.jdcloud.com/cn/
Product · nvd@nist.gov