CVE-2025-52377
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nexxt_solutions | ncm-x1800_mesh_router | uv1.2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Nexxt Solutions NCM-X1800 Mesh Router (version UV1.2.7 and below). It occurs in the web management interface's ping and traceroute functionality, specifically at the /web/um_ping_set.cgi endpoint. The application does not properly sanitize user input in the Ping_host_text parameter, allowing authenticated attackers to inject and execute arbitrary shell commands on the device with root privileges.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can execute arbitrary commands on the affected router as the root user. This can lead to full control over the device, allowing the attacker to manipulate network traffic, disrupt services, steal sensitive information, or use the device as a foothold for further attacks within the network.