CVE-2025-15388
OS Command Injection in QNO Technology VPN Firewall Allows Remote Execution
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qno_technology | vpn_firewall | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15388 is an OS Command Injection vulnerability in QNO Technology's VPN Firewall. It allows authenticated remote attackers to inject and execute arbitrary operating system commands on the server hosting the VPN firewall. This means that an attacker who has valid credentials can run malicious commands on the server, potentially compromising the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system. An attacker exploiting this flaw can execute arbitrary commands on the server, which may lead to unauthorized data access, data modification, service disruption, or complete system compromise. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to contact the vendor, QNO Technology, for a fix or patch addressing the OS Command Injection vulnerability in their VPN Firewall product. [1, 2]