Executive Summary

CVE-2025-67113 is an OS command injection vulnerability in the CWMP client (/ftl/bin/cwmp) of the Small Cell Sercomm SCE4255W device firmware before DG3934v3@2308041842. The vulnerability occurs because the CWMP client improperly validates the Download URL parameter received from the ACS server. This URL is passed without escaping or sanitization into the firmware upgrade pipeline, allowing shell metacharacters to be executed.

An attacker controlling the ACS endpoint can send a crafted TR-069 Download URL containing shell commands. These commands are executed as root on the device, enabling full device compromise. The vulnerability arises from the CWMP client concatenating the attacker-controlled URL into shell commands without neutralizing dangerous characters, leading to arbitrary command execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a remote attacker who controls the ACS server endpoint to execute arbitrary commands as root on the affected device. This means the attacker can fully compromise the device, gaining complete control over its functions and data.

• Full device compromise with root privileges.
• Execution of arbitrary commands, potentially leading to unauthorized access, data theft, or disruption of service.
• Potential to open backdoors, such as a root shell accessible remotely.
• Undermining the security of private LTE networks relying on this device.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability can be detected by monitoring for unusual or unauthorized CWMP Download commands sent to the device's ACS endpoint, especially those containing suspicious URLs with shell metacharacters. Since the exploit involves execution of arbitrary commands as root via crafted TR-069 Download URLs, network administrators should look for unexpected connections or commands targeting the CWMP client (/ftl/bin/cwmp)."}, {'type': 'paragraph', 'content': 'One practical detection method is to check for open TCP port 42588, which was used in the exploit demonstration to spawn a root shell via socat. You can use commands like:'}, {'type': 'list_item', 'content': 'netstat -tuln | grep 42588'}, {'type': 'list_item', 'content': 'ss -tuln | grep 42588'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the device logs or network traffic for CWMP Download messages containing suspicious URLs with shell metacharacters (e.g., backticks) may help detect exploitation attempts.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict or disable remote ACS server access to the CWMP client to trusted and verified endpoints only.
• Update the device firmware to a version later than DG3934v3@2308041842 where the vulnerability is fixed.
• Monitor and block suspicious TR-069 Download commands containing shell metacharacters or unexpected URLs.
• If firmware update is not immediately possible, consider isolating the device from untrusted networks to prevent malicious ACS servers from being reachable.
• Check for and close any unauthorized open ports such as TCP 42588 that may be used by attackers to gain root shell access.

Useful 0 Not Useful 0