CVE-2025-55423
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-30
Assigner: MITRE
Description
Description
A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iptime | n104s-r1_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n104s-r1 | * |
| iptime | n104v_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n104v | * |
| iptime | n1e_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n1e | * |
| iptime | n1plus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n1plus | * |
| iptime | n1plus-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n1plus-i | * |
| iptime | n1v_firmware | From 11.01.2 (inc) to 12.07.6 (inc) |
| iptime | n1v | * |
| iptime | n2e_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n2e | * |
| iptime | n2eplus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n2eplus | * |
| iptime | n2plus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n2plus | * |
| iptime | n2plus-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n2plus-i | * |
| iptime | n2v_firmware | From 10.09.2 (inc) to 12.16.8 (inc) |
| iptime | n2v | * |
| iptime | n2vs_firmware | 12.16.8 |
| iptime | n2vs | * |
| iptime | n3_firmware | From 9.93.2 (inc) to 10.06.8 (inc) |
| iptime | n3 | * |
| iptime | n3-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n3-i | * |
| iptime | n5_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n5 | * |
| iptime | n5-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n5-i | * |
| iptime | n6_firmware | From 9.96.8 (inc) to 10.06.8 (inc) |
| iptime | n6 | * |
| iptime | n600_firmware | From 10.00.8 (inc) to 12.16.2 (inc) |
| iptime | n600 | * |
| iptime | n6004r_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n6004r | * |
| iptime | n602e_firmware | From 11.96.6 (inc) to 12.16.8 (inc) |
| iptime | n602e | * |
| iptime | n602eplus_firmware | From 12.14.2 (inc) to 12.16.2 (inc) |
| iptime | n602eplus | * |
| iptime | n602se_firmware | From 14.19.0 (inc) to 14.19.4 (inc) |
| iptime | n602se | * |
| iptime | n604_black_firmware | From 9.93.8 (inc) to 12.16.2 (inc) |
| iptime | n604_black | * |
| iptime | n604a_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604a | * |
| iptime | n604e_firmware | From 10.09.2 (inc) to 14.19.4 (inc) |
| iptime | n604e | * |
| iptime | n604eplus_firmware | From 12.14.2 (inc) to 14.19.4 (inc) |
| iptime | n604eplus | * |
| iptime | n604plus_firmware | From 9.90.8 (inc) to 12.15.2 (inc) |
| iptime | n604plus | * |
| iptime | n604plus-i_firmware | From 9.99.6 (inc) to 12.14.6 (inc) |
| iptime | n604plus-i | * |
| iptime | n604r_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604r | * |
| iptime | n604rplus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604rplus | * |
| iptime | n604rplus-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n604rplus-i | * |
| iptime | n604s_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604s | * |
| iptime | n604se_firmware | From 14.18.4 (inc) to 14.19.4 (inc) |
| iptime | n604se | * |
| iptime | n604t_firmware | From 9.90.8 (inc) to 10.03.2 (inc) |
| iptime | n604t | * |
| iptime | n604tplus_firmware | From 9.90.8 (inc) to 10.03.2 (inc) |
| iptime | n604tplus | * |
| iptime | n604v_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604v | * |
| iptime | n604vplus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n604vplus | * |
| iptime | n7004ns_firmware | 9.91.2 |
| iptime | n7004ns | * |
| iptime | n702bcm_firmware | From 9.90.8 (inc) to 12.16.2 (inc) |
| iptime | n702bcm | * |
| iptime | n702e_firmware | From 10.09.2 (inc) to 12.16.2 (inc) |
| iptime | n702e | * |
| iptime | ax11000_firmware | From 14.16.6 (inc) to 14.19.4 (inc) |
| iptime | ax11000 | * |
| iptime | ax2002mesh_firmware | From 14.16.6 (inc) to 14.19.4 (inc) |
| iptime | ax2002mesh | * |
| iptime | ax2004_firmware | From 14.17.4 (inc) to 14.19.4 (inc) |
| iptime | ax2004 | * |
| iptime | ax2004bcm_firmware | From 12.04.2 (inc) to 14.19.4 (inc) |
| iptime | ax2004bcm | * |
| iptime | ax2004m_firmware | From 14.02.0 (inc) to 14.19.4 (inc) |
| iptime | ax2004m | * |
| iptime | ax3004bcm_firmware | From 14.16.2 (inc) to 14.19.4 (inc) |
| iptime | ax3004bcm | * |
| iptime | ax3004itl_firmware | From 12.01.2 (inc) to 14.19.4 (inc) |
| iptime | ax3004itl | * |
| iptime | ax8004bcm_firmware | From 11.97.2 (inc) to 14.19.4 (inc) |
| iptime | ax8004bcm | * |
| iptime | ax8004m_firmware | From 14.05.2 (inc) to 14.19.4 (inc) |
| iptime | ax8004m | * |
| iptime | ax8008m_firmware | From 14.15.4 (inc) to 14.19.4 (inc) |
| iptime | ax8008m | * |
| iptime | a1_firmware | From 9.96.8 (inc) to 10.07.4 (inc) |
| iptime | a1 | * |
| iptime | a1004_firmware | From 9.90.8 (inc) to 12.16.2 (inc) |
| iptime | a1004 | * |
| iptime | a1004ns_firmware | From 9.96.0 (inc) to 12.16.2 (inc) |
| iptime | a1004ns | * |
| iptime | a1004v_firmware | From 9.90.8 (inc) to 12.16.2 (inc) |
| iptime | a1004v | * |
| iptime | a104_firmware | From 9.90.8 (inc) to 10.03.8 (inc) |
| iptime | a104 | * |
| iptime | a104ns_firmware | From 9.96.0 (inc) to 12.16.2 (inc) |
| iptime | a104ns | * |
| iptime | a104r_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a104r_firmware | * |
| iptime | a104r | * |
| iptime | a2003mu_firmware | From 12.13.0 (inc) to 12.16.2 (inc) |
| iptime | a2003mu | * |
| iptime | a2003ns-mu_firmware | From 10.00.6 (inc) to 12.16.2 (inc) |
| iptime | a2003ns-mu | * |
| iptime | a2004_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a2004 | * |
| iptime | a2004mu_firmware | From 10.08.6 (inc) to 12.17.0 (inc) |
| iptime | a2004mu | * |
| iptime | a2004ns_firmware | From 9.90.8 (inc) to 11.00.4 (inc) |
| iptime | a2004ns | * |
| iptime | a2004ns-mu_firmware | From 10.08.6 (inc) to 12.17.0 (inc) |
| iptime | a2004ns-mu | * |
| iptime | a2004ns-r_firmware | From 9.90.8 (inc) to 11.00.4 (inc) |
| iptime | a2004ns-r | * |
| iptime | a2004nsplus_firmware | From 9.90.8 (inc) to 11.00.4 (inc) |
| iptime | a2004nsplus | * |
| iptime | a2004plus_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a2004plus | * |
| iptime | a2004r_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a2004r | * |
| iptime | a2004se_firmware | From 14.16.6 (inc) to 14.19.4 (inc) |
| iptime | a2004se | * |
| iptime | a2008_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a2008 | * |
| iptime | a3_firmware | From 9.97.2 (inc) to 10.07.2 (inc) |
| iptime | a3 | * |
| iptime | a3002mesh_firmware | From 12.05.4 (inc) to 14.19.4 (inc) |
| iptime | a3002mesh | * |
| iptime | a3003ns_firmware | From 9.99.8 (inc) to 11.00.4 (inc) |
| iptime | a3003ns | * |
| iptime | a3004_firmware | From 9.90.8 (inc) to 10.08.2 (inc) |
| iptime | a3004 | * |
| iptime | a3004-dual_firmware | From 9.90.4 (inc) to 10.07.2 (inc) |
| iptime | a3004-dual | * |
| iptime | a3004m_firmware | From 14.18.4 (inc) to 14.19.4 (inc) |
| iptime | a3004m | * |
| iptime | a3004ns_firmware | From 9.90.2 (inc) to 10.09.4 (inc) |
| iptime | a3004ns | * |
| iptime | a3004ns-bcm_firmware | From 9.95.8 (inc) to 11.00.4 (inc) |
| iptime | a3004ns-bcm | * |
| iptime | a3004ns-dual_firmware | From 9.90.4 (inc) to 12.09.4 (inc) |
| iptime | a3004ns-dual | * |
| iptime | a3004ns-m_firmware | From 10.05.4 (inc) to 14.19.4 (inc) |
| iptime | a3004ns-m | * |
| iptime | a3004t_firmware | From 12.10.2 (inc) to 14.19.4 (inc) |
| iptime | a3004t | * |
| iptime | a3004tw_firmware | From 14.15.2 (inc) to 14.19.4 (inc) |
| iptime | a3004tw | * |
| iptime | a3008-mu_firmware | From 10.08.4 (inc) to 14.19.4 (inc) |
| iptime | a3008-mu | * |
| iptime | a304_firmware | From 10.05.4 (inc) to 10.07.4 (inc) |
| iptime | a304 | * |
| iptime | a5004ns_firmware | From 9.90.2 (inc) to 11.00.4 (inc) |
| iptime | a5004ns | * |
| iptime | a5004ns-m_firmware | From 10.05.4 (inc) to 14.19.4 (inc) |
| iptime | a5004ns-m | * |
| iptime | a6004mx_firmware | From 12.04.6 (inc) to 14.19.4 (inc) |
| iptime | a6004mx | * |
| iptime | a6004ns_firmware | From 9.90.2 (inc) to 11.00.4 (inc) |
| iptime | a6004ns | * |
| iptime | a6004ns-m_firmware | From 9.99.8 (inc) to 14.19.4 (inc) |
| iptime | a6004ns-m | * |
| iptime | a604_firmware | From 9.90.8 (inc) to 12.06.6 (inc) |
| iptime | a604 | * |
| iptime | a604-v3_firmware | From 10.01.6 (inc) to 10.07.2 (inc) |
| iptime | a604-v3 | * |
| iptime | a604-v5_firmware | From 10.09.2 (inc) to 12.16.2 (inc) |
| iptime | a604-v5 | * |
| iptime | a604g-mu_firmware | From 10.07.4 (inc) to 12.16.2 (inc) |
| iptime | a604g-mu | * |
| iptime | a604g-skylife_firmware | From 12.02.4 (inc) to 12.12.4 (inc) |
| iptime | a604g-skylife | * |
| iptime | a604m_firmware | From 10.06.4 (inc) to 10.07.2 (inc) |
| iptime | a604m | * |
| iptime | a604mu_firmware | From 12.12.4 (inc) to 12.16.2 (inc) |
| iptime | a604mu | * |
| iptime | a604r_firmware | From 10.09.2 (inc) to 12.16.2 (inc) |
| iptime | a604r | * |
| iptime | a604se_firmware | From 14.17.2 (inc) to 14.19.4 (inc) |
| iptime | a604se | * |
| iptime | a604v_firmware | From 9.90.8 (inc) to 10.07.4 (inc) |
| iptime | a604v | * |
| iptime | a6ns-m_firmware | From 10.01.6 (inc) to 14.19.4 (inc) |
| iptime | a6ns-m | * |
| iptime | a7004m_firmware | From 10.06.8 (inc) to 14.19.4 (inc) |
| iptime | a7004m | * |
| iptime | a704ns-bcm_firmware | From 9.95.8 (inc) to 11.00.4 (inc) |
| iptime | a704ns-bcm | * |
| iptime | a7ns_firmware | From 9.96.0 (inc) to 11.00.4 (inc) |
| iptime | a7ns | * |
| iptime | a8004bcm_firmware | From 11.99.1 (inc) to 12.16.2 (inc) |
| iptime | a8004bcm | * |
| iptime | a8004itl_firmware | From 11.00.4 (inc) to 14.19.4 (inc) |
| iptime | a8004itl | * |
| iptime | a8004ns-m_firmware | From 9.99.2 (inc) to 14.19.4 (inc) |
| iptime | a8004ns-m | * |
| iptime | a8004t_firmware | From 10.06.8 (inc) to 14.19.4 (inc) |
| iptime | a8004t | * |
| iptime | a8004t-xr_firmware | From 11.97.2 (inc) to 14.19.4 (inc) |
| iptime | a8004t-xr | * |
| iptime | a804ns-mu_firmware | From 10.06.4 (inc) to 12.10.2 (inc) |
| iptime | a804ns-mu | * |
| iptime | a8ns-m_firmware | From 10.03.2 (inc) to 14.19.4 (inc) |
| iptime | a8ns-m | * |
| iptime | a9004m_firmware | From 10.05.4 (inc) to 14.19.4 (inc) |
| iptime | a9004m | * |
| iptime | a9004m-x2_firmware | From 11.98.2 (inc) to 14.19.4 (inc) |
| iptime | a9004m-x2 | * |
| iptime | ew302n_firmware | From 9.90.8 (inc) to 12.16.2 (inc) |
| iptime | ew302n | * |
| iptime | n102e_firmware | From 11.00.8 (inc) to 12.15.2 (inc) |
| iptime | n102e | * |
| iptime | n102eplus_firmware | From 12.14.2 (inc) to 12.15.2 (inc) |
| iptime | n102eplus | * |
| iptime | n102i_firmware | From 11.01.2 (inc) to 12.15.2 (inc) |
| iptime | n102i | * |
| iptime | n102iplus_firmware | From 12.14.2 (inc) to 12.15.2 (inc) |
| iptime | n102iplus | * |
| iptime | n104_black_firmware | From 9.93.8 (inc) to 10.06.8 (inc) |
| iptime | n104_black | * |
| iptime | n104e_firmware | From 10.09.4 (inc) to 12.15.2 (inc) |
| iptime | n104e | * |
| iptime | n104eplus_firmware | From 12.14.2 (inc) to 12.15.2 (inc) |
| iptime | n104eplus | * |
| iptime | n104k_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n104k | * |
| iptime | n104plus_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n104plus | * |
| iptime | n104plus-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n104plus-i | * |
| iptime | n104q_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n104q | * |
| iptime | n104q-i_firmware | From 9.99.6 (inc) to 10.06.8 (inc) |
| iptime | n104q-i | * |
| iptime | n104r_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n104r | * |
| iptime | n702eplus_firmware | From 12.12.4 (inc) to 12.16.2 (inc) |
| iptime | n702eplus | * |
| iptime | n702r_firmware | From 10.05.8 (inc) to 10.06.8 (inc) |
| iptime | n702r | * |
| iptime | n704-a3_firmware | From 9.90.8 (inc) to 10.06.8 (inc) |
| iptime | n704-a3 | * |
| iptime | n704bcm_firmware | From 9.90.8 (inc) to 12.16.2 (inc) |
| iptime | n704bcm | * |
| iptime | n704e_firmware | From 11.98.4 (inc) to 12.16.2 (inc) |
| iptime | n704e | * |
| iptime | n704eplus_firmware | From 12.14.2 (inc) to 12.16.2 (inc) |
| iptime | n704eplus | * |
| iptime | n704ns_firmware | From 9.91.4 (inc) to 9.96.0 (inc) |
| iptime | n704ns | * |
| iptime | n704qca_firmware | From 10.02.4 (inc) to 12.16.2 (inc) |
| iptime | n704qca | * |
| iptime | n704v3_firmware | From 9.90.8 (inc) to 12.10.2 (inc) |
| iptime | n704v3 | * |
| iptime | n8004r_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n8004r | * |
| iptime | n8004v_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n8004v | * |
| iptime | n804_firmware | From 9.91.2 (inc) to 9.96.8 (inc) |
| iptime | n804 | * |
| iptime | n804a_firmware | From 9.91.2 (inc) to 9.96.8 (inc) |
| iptime | n804a | * |
| iptime | n804a3_firmware | From 9.90.8 (inc) to 9.96.8 (inc) |
| iptime | n804a3 | * |
| iptime | n804r_firmware | From 10.06.4 (inc) to 12.16.2 (inc) |
| iptime | n804r | * |
| iptime | n804t_firmware | From 9.91.2 (inc) to 9.96.8 (inc) |
| iptime | n804t | * |
| iptime | n804t3_firmware | From 9.90.8 (inc) to 9.96.8 (inc) |
| iptime | n804t3 | * |
| iptime | n804v_firmware | From 9.91.2 (inc) to 9.96.8 (inc) |
| iptime | n804v | * |
| iptime | n904_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n904 | * |
| iptime | n904ns_firmware | From 9.91.4 (inc) to 9.96.0 (inc) |
| iptime | n904ns | * |
| iptime | n904plus_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n904plus | * |
| iptime | n904v_firmware | From 9.90.8 (inc) to 10.02.2 (inc) |
| iptime | n904v | * |
| iptime | smart_firmware | From 9.90.8 (inc) to 9.94.2 (inc) |
| iptime | smart | * |
| iptime | q1_firmware | 9.91.2 |
| iptime | q1 | * |
| iptime | q304_firmware | 9.91.2 |
| iptime | q304 | * |
| iptime | q504_firmware | 9.91.2 |
| iptime | q504 | * |
| iptime | q604_firmware | 9.91.2 |
| iptime | q604 | * |
| iptime | t16000_firmware | From 9.91.2 (inc) to 11.03.6 (inc) |
| iptime | t16000 | * |
| iptime | t16000m_firmware | From 12.07.4 (inc) to 14.19.4 (inc) |
| iptime | t16000m | * |
| iptime | t24000_firmware | From 9.91.2 (inc) to 11.03.6 (inc) |
| iptime | t24000 | * |
| iptime | t24000m_firmware | From 12.07.4 (inc) to 14.19.4 (inc) |
| iptime | t24000m | * |
| iptime | t3004_firmware | From 9.90.8 (inc) to 12.07.6 (inc) |
| iptime | t3004 | * |
| iptime | t3008_firmware | From 9.90.8 (inc) to 12.09.6 (inc) |
| iptime | t3008 | * |
| iptime | t5004_firmware | From 11.96.4 (inc) to 14.19.4 (inc) |
| iptime | t5004 | * |
| iptime | t5008_firmware | From 11.98.2 (inc) to 14.19.4 (inc) |
| iptime | t5008 | * |
| iptime | v304_firmware | 9.91.2 |
| iptime | v304 | * |
| iptime | v504_firmware | From 9.90.8 (inc) to 12.15.2 (inc) |
| iptime | v504 | * |
| iptime | v508_firmware | From 10.02.2 (inc) to 10.06.4 (inc) |
| iptime | v508 | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55423 is an OS command injection vulnerability found in multiple ipTIME router models and firmware versions. It occurs via the function upnp_relay(), allowing an attacker to execute arbitrary operating system commands on the affected device.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary OS commands on the affected ipTIME routers, potentially leading to unauthorized control over the device, disruption of network services, data interception, or further compromise of the network connected to the router.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-55423 vulnerability, immediately update your ipTIME router firmware to the latest available version. Firmware versions starting from approximately 14.19.4 or later include patches addressing this vulnerability. Check your device model and ensure it is running a patched firmware version, such as 15.06.6 or newer if available. If your device is End of Support (EoS) and no patch is available, consider replacing the device with a supported model. Applying the latest firmware updates is the primary recommended mitigation step. [2, 3]
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70