CVE-2025-50475
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| russound | mbx-pre-d67f | 3.1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection in the Russound MBX-PRE-D67F firmware version 3.1.6. It allows unauthenticated attackers to execute arbitrary commands with root privileges by sending specially crafted input to the hostname parameter in network configuration requests. The issue arises because the firmware does not properly neutralize special characters in the hostname parameter, enabling remote code execution with the highest level of access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to remotely execute any command on the affected device with root privileges without authentication. This could lead to full system compromise, unauthorized access to sensitive data, disruption of device functionality, and potentially using the device as a foothold to attack other systems in the network.