Cyber Posture

CVE-2025-67113

Critical

Published: 19 March 2026

Published
19 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 63.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted TR-069 Download URL that is passed…

more

unescaped into the firmware upgrade pipeline.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by requiring validation of the unescaped TR-069 Download URL before it is passed into the firmware upgrade pipeline.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in CWMP client by identifying, prioritizing, and applying the firmware upgrade to DG3934v3@2308041842 or later.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on the types and quantity of TR-069 Download URL inputs to the CWMP client, limiting opportunities for crafted malicious payloads.

Security SummaryAI

CVE-2025-67113, published on 2026-03-19, is an OS command injection vulnerability (CWE-94) in the CWMP client at /ftl/bin/cwmp within the Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware versions before DG3934v3@2308041842. The flaw enables unescaped input from a TR-069 Download URL to be processed in the firmware upgrade pipeline. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network reach, low complexity, and potential for high-impact confidentiality, integrity, and availability effects.

Remote attackers who control the ACS endpoint can exploit this vulnerability by supplying a crafted TR-069 Download URL during a firmware upgrade interaction. The unescaped URL injects and executes arbitrary OS commands as root on the targeted device, granting full system compromise without requiring user privileges or interaction.

Mitigation requires upgrading to firmware version DG3934v3@2308041842 or later, as earlier versions are affected. Additional details appear in advisories referenced at the FCC report (https://fcc.report/FCC-ID/P27-SCE4255W/4790935.pdf), FreedomFi website (https://freedomfi.com/index.html), and Nero Team blog (https://neroteam.com/blog/freedomfi-sercomm-sce4255w-englewood).

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote OS command injection in a network-exposed CWMP/TR-069 client, enabling exploitation of a public-facing application (T1190), exploitation of remote services (T1210), and arbitrary Unix shell command execution as root (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References