EUVD-2025-17407CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the put_file_to_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.
Analysis
A command injection vulnerability exists in the Quantenna Wi-Fi chipset's router_command.sh script affecting versions through 8.0.0.28 of the SDK. The flaw allows unauthenticated local attackers to inject arbitrary commands via improper argument handling in the put_file_to_qtn parameter, potentially leading to confidentiality and integrity compromise. No official patch is available as of the CVE publication date, though the vendor has released mitigation guidance; this vulnerability is not currently tracked as actively exploited in CISA's Known Exploited Vulnerabilities catalog.
Technical Context
This vulnerability is an instance of CWE-88 (Argument Injection), where shell metacharacters and command delimiters are not properly sanitized when passed to the router_command.sh script. The affected component is a local control/management script on Quantenna Wi-Fi chipsets (typically integrated into enterprise or ISP-grade router and access point equipment). The put_file_to_qtn argument handler fails to quote or escape user-supplied input before passing it to shell execution contexts, allowing attackers to break out of intended argument boundaries and inject arbitrary shell commands. This is a classic shell command construction vulnerability stemming from insufficient input validation in the argument parsing logic, enabling attackers to achieve command-level code execution with the privileges of the script's execution context (typically root or elevated chipset firmware privileges).
Affected Products
Quantenna Wi-Fi chipset SDK version 8.0.0.28 and earlier versions are affected. Specific products include enterprise/ISP router and wireless access point equipment integrating Quantenna chipsets—though exact CPE strings for end-product devices are not provided in the CVE record. Affected component: router_command.sh script with vulnerable put_file_to_qtn argument handler. Quantenna is primarily used in enterprise WiFi infrastructure (access points, routers, and mesh systems); affected versions are those shipping with SDK ≤8.0.0.28. Vendor advisories or patch status should be checked directly with Quantenna and device manufacturers using their chipsets.
Remediation
No official patch version is documented in the CVE record at publication time. Recommended remediation: (1) Contact your router/access point manufacturer to determine if an updated firmware incorporating a patched Quantenna SDK is available; (2) Review and implement Quantenna's published best practices guide for developers integrating this chipset, which likely includes argument validation and escaping recommendations; (3) Apply compensating controls: restrict local access to the device (disable SSH/telnet for untrusted users, enforce strong authentication); (4) Implement input validation on the router_command.sh script by sanitizing the put_file_to_qtn argument (proper shell escaping via functions like shquote or using safe argument passing mechanisms rather than eval/direct shell concatenation); (5) Monitor for vendor security advisories and newer SDK versions that address this issue; (6) For high-risk deployments, consider network segmentation to limit local attack surface. Contact Quantenna directly or check their security advisories for the timeline and availability of patched SDK versions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today