CVE-2025-32459

| EUVD-2025-17405 HIGH
2025-06-08 [email protected]
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:17 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:17 euvd
EUVD-2025-17405
CVE Published
Jun 08, 2025 - 21:15 nvd
HIGH 7.7

Tags

Command Injection Qcs Ax2 A12 Firmware Qv952c Firmware Qcs Ax3 T12 Firmware Qd840 Firmware Qcs Ax3 A12 Firmware Qcs Ax3 S5 Firmware Qcs Ax2 T8 Firmware Qhs710 Firmware Qcs Ax2 T12 Firmware Qsr10ga Firmware Qv940 Firmware Qv860 Firmware Qcs Ax3 T8 Firmware Qv840c Firmware Qv942c Firmware Qv840 Firmware Qsr10gu Firmware Qcs Ax2 S5 Firmware

Description

The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the sync_time argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Analysis

A command injection vulnerability exists in the Quantenna Wi-Fi chipset's router_command.sh script, specifically in the sync_time argument handler, allowing unauthenticated local attackers to execute arbitrary commands with high impact on confidentiality and integrity. The vulnerability affects Quantenna Wi-Fi chipset SDK versions through 8.0.0.28 and remains unpatched as of the CVE publication date, though the vendor has released implementation best practices rather than a direct patch. The CVSS 7.7 score reflects the local attack vector but high-impact consequences; exploitation requires local access but no privileges or user interaction.

Technical Context

The vulnerability is an instance of CWE-88 (Improper Neutralization of Argument Delimiters in a Command), a class of injection flaws where user-controlled input is concatenated into shell commands without proper escaping or validation. The affected component is router_command.sh, a control script bundled with Quantenna Wi-Fi chipsets (likely embedded in routers, access points, and wireless networking devices using Quantenna's silicon). The sync_time argument handler fails to sanitize shell metacharacters and command separators (e.g., `;`, `|`, `$()`), allowing an attacker with local shell access to break out of the intended argument context and inject arbitrary commands. This is a classic shell injection pattern common in legacy embedded scripts that concatenate user input directly into system() or exec() calls. Quantenna's chipsets are widely integrated into third-party router firmware and networking equipment, making the scope of affected products potentially very broad despite the SDK-level vulnerability.

Affected Products

Quantenna Wi-Fi Chipset SDK versions up to and including 8.0.0.28. Specific CPE data not provided in source material, but affected products likely include: (1) Quantenna QSR10G/QSR1000 chipsets and derivatives; (2) Any router, access point, mesh node, or embedded wireless device using Quantenna silicon; (3) OEM firmware implementations integrating the vulnerable router_command.sh script. Known vendors integrating Quantenna chipsets include TP-Link, NETGEAR, ASUS, Linksys, and others, but exact affected model numbers and firmware versions would require cross-reference against each OEM's bill-of-materials and SDK dependency tracking. The vendor (Quantenna, owned by Qualcomm as of 2019) has released a best practices implementation guide but no CVE-specific security patch, suggesting remediation responsibility lies with OEM integrators. No vendor advisory link was provided in the source material.

Remediation

Immediate mitigations: (1) Restrict local shell access to router_command.sh via file permissions and access controls; (2) Disable or remove the sync_time feature if not operationally required; (3) Implement input validation at the application layer that calls router_command.sh to reject shell metacharacters in the sync_time argument. Long-term remediation: (1) Contact your router/device OEM for a firmware update that patches the underlying Quantenna SDK or implements proper argument sanitization (e.g., using shell_escape(), avoiding shell interpretation via direct exec with argv array); (2) Replace router_command.sh with a reimplemented version that uses safe argument passing (e.g., direct system calls with argument arrays rather than shell string concatenation); (3) Implement a local input validation layer that strips or rejects characters like `;`, `|`, `$`, backticks, and newlines before passing arguments to the script. Workaround for integrators: follow Quantenna's released best practices guide for safe script implementation, likely recommending quoted arguments, argument validation, and avoiding eval-like patterns. No official patch version number was provided; recommend checking with your OEM for updates after this CVE publication.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: 0

Share

CVE-2025-32459 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy