Skip to main content

JD Cloud BE6500 CVE-2025-15081

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-12-25 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 03:00 vuln.today

DescriptionCVE.org

A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in JD Cloud BE6500 4.4.1.r4308 via the ddns_name parameter in the /jdcapi endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact (low confidentiality, integrity, and availability). Public exploit code is available. The vendor has not responded to early disclosure notification, and no patch has been released.

Technical ContextAI

The vulnerability exists in function sub_4780 of the /jdcapi endpoint in JD Cloud BE6500. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which indicates insufficient input validation or sanitization of the ddns_name parameter before it is used in a command execution context. The parameter is likely passed to a shell command without proper escaping or parameterization, allowing an attacker to inject shell metacharacters and execute arbitrary operating system commands on the affected device.

Affected ProductsAI

JD Cloud BE6500 version 4.4.1.r4308 is confirmed affected. The specific CPE designation and whether other firmware versions are impacted are not provided in available data.

RemediationAI

No vendor-released patch is available - the vendor did not respond to early disclosure. Organizations operating JD Cloud BE6500 4.4.1.r4308 should consider the following mitigations: (1) Restrict access to the /jdcapi endpoint to authorized administrators only by implementing network-level access controls (firewall rules, VPN requirements, IP allowlisting) to minimize the authenticated attack surface; (2) Disable DDNS functionality if it is not required for operations, which would eliminate the vulnerable code path; (3) Monitor logs for suspicious API calls to /jdcapi with unusual ddns_name parameter values containing shell metacharacters (pipes, semicolons, backticks, command substitution syntax); (4) Evaluate firmware upgrade options from JD Cloud or consider replacing the device if vendor support is unavailable and the vulnerability poses unacceptable risk to your environment. Implementing strict access controls is the most practical immediate mitigation, as it requires only authentication to trigger the vulnerability.

Share

CVE-2025-15081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy