Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in miniigd SOAP service. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.
AnalysisAI
CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.
Technical ContextAI
The vulnerability exists in the miniigd SOAP service, which handles UPnP/SOAP protocol requests for device management and control. The root cause is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), indicating insufficient input validation and sanitization of user-supplied data before passing it to OS command execution functions (likely system(), exec(), or equivalent). The SOAP service likely processes XML requests containing parameters that are directly interpolated into shell commands without proper escaping or parameterization. Affected products are WRH-733GBK (black) and WRH-733GWH (white) variants, which are consumer/prosumer NAS devices. The miniigd daemon typically runs with elevated privileges, amplifying the impact of command injection to full system compromise.
RemediationAI
Immediate remediation steps: (1) Apply firmware patches released by the vendor for WRH-733GBK and WRH-733GWH—check vendor advisory for specific patched firmware versions; (2) If patches are unavailable, disable or restrict network access to the miniigd SOAP service port (typically UDP 1900, TCP 49152-49161) using firewall rules, allowing only trusted administrative networks; (3) Implement network segmentation to isolate NAS devices from untrusted networks; (4) Monitor device logs for suspicious SOAP requests or command injection patterns; (5) If exploitation is suspected, immediately isolate the device and audit for unauthorized access or data exfiltration; (6) Update to latest firmware as soon as vendor releases patched versions. Vendor advisory links and patch download URLs should be obtained directly from the manufacturer's security page or product support portal.
A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the
RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18996