CVE-2025-32458

| EUVD-2025-17406 HIGH
2025-06-08 [email protected]
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:17 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:17 euvd
EUVD-2025-17406
CVE Published
Jun 08, 2025 - 21:15 nvd
HIGH 7.7

Tags

Command Injection Qhs710 Firmware Qcs Ax2 A12 Firmware Qv860 Firmware Qv952c Firmware Qcs Ax2 T8 Firmware Qcs Ax2 T12 Firmware Qd840 Firmware Qcs Ax3 S5 Firmware Qsr10gu Firmware Qcs Ax3 T8 Firmware Qv840c Firmware Qcs Ax3 A12 Firmware Qsr10ga Firmware Qv840 Firmware Qcs Ax3 T12 Firmware Qv942c Firmware Qcs Ax2 S5 Firmware Qv940 Firmware

Description

The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_syslog_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Analysis

Command injection vulnerability in Quantenna Wi-Fi chipset control scripts (router_command.sh) that allows local, unauthenticated attackers to execute arbitrary commands with high impact to confidentiality and integrity. The vulnerability affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the SDK and remains unpatched at disclosure, though the vendor has issued a best practices guide rather than a direct security patch. With a CVSS score of 7.7 and local attack vector requirements, this represents a significant risk to deployed routers and wireless access points using this chipset.

Technical Context

The vulnerability exists in CWE-88 (Argument Injection), a class of input validation flaws where user-supplied data is improperly sanitized before being used as command-line arguments. The affected component is router_command.sh, a local control script in the Quantenna Wi-Fi chipset, specifically in the get_syslog_from_qtn argument handler. Quantenna chipsets are widely used in consumer and enterprise Wi-Fi 6 routers and access points. The root cause is insufficient neutralization of special characters and argument delimiters (such as semicolons, pipes, backticks, or command substitution syntax) that could allow an attacker to break out of the intended argument context and inject arbitrary shell commands. This is a classic shell metacharacter injection flaw, distinct from SQL injection or other context-specific injection attacks.

Affected Products

Quantenna Wi-Fi Chipset through version 8.0.0.28 (SDK). This affects any router, wireless access point, or embedded Wi-Fi system integrating this chipset and the vulnerable router_command.sh script, including but not limited to: (1) Consumer Wi-Fi 6 routers using Quantenna chipsets, (2) Enterprise access points and mesh systems based on Quantenna hardware, (3) OEM implementations across multiple vendors (TP-Link, ASUS, Netgear, and others have used Quantenna chipsets). Specific CPE cannot be definitively listed without vendor advisory cross-reference, but the affected scope is the Quantenna Wi-Fi chipset library/firmware itself, affecting all downstream implementors. No specific patch version is documented in the provided data.

Remediation

Primary remediation: (1) Await and deploy vendor-provided security patches for affected routers once available (monitor vendor security advisories for specific version updates). (2) The Quantenna vendor has released a best practices guide for chipset implementors—device manufacturers should immediately apply these recommendations to their code. (3) For immediate risk reduction: restrict local access to affected devices (disable SSH, limit console access, use network segmentation to limit who can access device management interfaces), disable or restrict the get_syslog_from_qtn functionality if not required. (4) Implement input validation and argument sanitization in any wrapper scripts around router_command.sh, explicitly filtering for shell metacharacters (;|&$(){}[]<>\`'"\n). (5) Consider running router_command.sh in a restricted shell environment (e.g., rbash) or via a security wrapper that validates arguments against a whitelist. Workaround: temporarily downgrade to router_command.sh usage patterns that do not invoke the vulnerable get_syslog_from_qtn argument, or disable syslog retrieval functionality entirely until patched. No direct patch version was provided in the vulnerability disclosure; contact device manufacturer for specific security update availability.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: 0

Share

CVE-2025-32458 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy