EUVD-2025-17406Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_syslog_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.
AnalysisAI
Command injection vulnerability in Quantenna Wi-Fi chipset control scripts (router_command.sh) that allows local, unauthenticated attackers to execute arbitrary commands with high impact to confidentiality and integrity. The vulnerability affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the SDK and remains unpatched at disclosure, though the vendor has issued a best practices guide rather than a direct security patch. With a CVSS score of 7.7 and local attack vector requirements, this represents a significant risk to deployed routers and wireless access points using this chipset.
Technical ContextAI
The vulnerability exists in CWE-88 (Argument Injection), a class of input validation flaws where user-supplied data is improperly sanitized before being used as command-line arguments. The affected component is router_command.sh, a local control script in the Quantenna Wi-Fi chipset, specifically in the get_syslog_from_qtn argument handler. Quantenna chipsets are widely used in consumer and enterprise Wi-Fi 6 routers and access points. The root cause is insufficient neutralization of special characters and argument delimiters (such as semicolons, pipes, backticks, or command substitution syntax) that could allow an attacker to break out of the intended argument context and inject arbitrary shell commands. This is a classic shell metacharacter injection flaw, distinct from SQL injection or other context-specific injection attacks.
RemediationAI
Primary remediation: (1) Await and deploy vendor-provided security patches for affected routers once available (monitor vendor security advisories for specific version updates). (2) The Quantenna vendor has released a best practices guide for chipset implementors—device manufacturers should immediately apply these recommendations to their code. (3) For immediate risk reduction: restrict local access to affected devices (disable SSH, limit console access, use network segmentation to limit who can access device management interfaces), disable or restrict the get_syslog_from_qtn functionality if not required. (4) Implement input validation and argument sanitization in any wrapper scripts around router_command.sh, explicitly filtering for shell metacharacters (;|&$(){}[]<>\`'"\n). (5) Consider running router_command.sh in a restricted shell environment (e.g., rbash) or via a security wrapper that validates arguments against a whitelist. Workaround: temporarily downgrade to router_command.sh usage patterns that do not invoke the vulnerable get_syslog_from_qtn argument, or disable syslog retrieval functionality entirely until patched. No direct patch version was provided in the vulnerability disclosure; contact device manufacturer for specific security update availability.
Share
External POC / Exploit Code
Leaving vuln.today