CVE-2025-14485
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in EFM ipTIME A3004T 14.19.0. This vulnerability affects the function show_debug_screen of the file /sess-bin/timepro.cgi of the component Administrator Password Handler. This manipulation of the argument aaksjdkfj with the input !@dnjsrureljrm*& causes command injection. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14485
EUVD
EUVD-2025-202644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
efm iptime_a3004t 14.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves monitoring for unusual access or command execution attempts targeting the /sess-bin/timepro.cgi endpoint, specifically the show_debug_screen function with the argument 'aaksjdkfj'. Since the vulnerability allows command injection via this argument, network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on suspicious payloads containing special characters like '!@dnjsrureljrm*&'. However, no specific detection commands or signatures are provided in the available resources. [1, 3]

Executive Summary

This vulnerability is a command injection flaw in the EFM ipTIME A3004T 14.19.0 router, specifically in the show_debug_screen function of the /sess-bin/timepro.cgi file within the Administrator Password Handler component. By manipulating the argument 'aaksjdkfj' with a crafted input, an attacker can execute arbitrary commands remotely. The attack is complex and difficult to exploit, but a public exploit exists.

Impact Analysis

If exploited, this vulnerability could allow a remote attacker to execute arbitrary commands on the affected device, potentially leading to unauthorized control, data compromise, or disruption of service. However, the attack complexity is high and exploitability is difficult.

Mitigation Strategies

Immediate mitigation steps include discontinuing use of the affected EFM ipTIME A3004T router version 14.19.0, as no vendor response or patches are available. Replacement of the affected product is suggested. Additionally, restricting remote access to the administrative interface, implementing network segmentation, and deploying intrusion detection/prevention systems to monitor and block exploitation attempts can help reduce risk. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart