JD Cloud BE6500 CVE-2025-15081
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Command injection in JD Cloud BE6500 4.4.1.r4308 via the ddns_name parameter in the /jdcapi endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact (low confidentiality, integrity, and availability). Public exploit code is available. The vendor has not responded to early disclosure notification, and no patch has been released.
Technical ContextAI
The vulnerability exists in function sub_4780 of the /jdcapi endpoint in JD Cloud BE6500. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which indicates insufficient input validation or sanitization of the ddns_name parameter before it is used in a command execution context. The parameter is likely passed to a shell command without proper escaping or parameterization, allowing an attacker to inject shell metacharacters and execute arbitrary operating system commands on the affected device.
Affected ProductsAI
JD Cloud BE6500 version 4.4.1.r4308 is confirmed affected. The specific CPE designation and whether other firmware versions are impacted are not provided in available data.
RemediationAI
No vendor-released patch is available - the vendor did not respond to early disclosure. Organizations operating JD Cloud BE6500 4.4.1.r4308 should consider the following mitigations: (1) Restrict access to the /jdcapi endpoint to authorized administrators only by implementing network-level access controls (firewall rules, VPN requirements, IP allowlisting) to minimize the authenticated attack surface; (2) Disable DDNS functionality if it is not required for operations, which would eliminate the vulnerable code path; (3) Monitor logs for suspicious API calls to /jdcapi with unusual ddns_name parameter values containing shell metacharacters (pipes, semicolons, backticks, command substitution syntax); (4) Evaluate firmware upgrade options from JD Cloud or consider replacing the device if vendor support is unavailable and the vulnerability poses unacceptable risk to your environment. Implementing strict access controls is the most practical immediate mitigation, as it requires only authentication to trigger the vulnerability.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today