Skip to main content

IoT CVE-2025-48890

| EUVDEUVD-2025-18996 CRITICAL
OS Command Injection (CWE-78)
2025-06-24 vultures@jpcert.or.jp
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-18996
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 05:15 nvd
CRITICAL 9.8

DescriptionCVE.org

WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in miniigd SOAP service. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

AnalysisAI

CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.

Technical ContextAI

The vulnerability exists in the miniigd SOAP service, which handles UPnP/SOAP protocol requests for device management and control. The root cause is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), indicating insufficient input validation and sanitization of user-supplied data before passing it to OS command execution functions (likely system(), exec(), or equivalent). The SOAP service likely processes XML requests containing parameters that are directly interpolated into shell commands without proper escaping or parameterization. Affected products are WRH-733GBK (black) and WRH-733GWH (white) variants, which are consumer/prosumer NAS devices. The miniigd daemon typically runs with elevated privileges, amplifying the impact of command injection to full system compromise.

RemediationAI

Immediate remediation steps: (1) Apply firmware patches released by the vendor for WRH-733GBK and WRH-733GWH—check vendor advisory for specific patched firmware versions; (2) If patches are unavailable, disable or restrict network access to the miniigd SOAP service port (typically UDP 1900, TCP 49152-49161) using firewall rules, allowing only trusted administrative networks; (3) Implement network segmentation to isolate NAS devices from untrusted networks; (4) Monitor device logs for suspicious SOAP requests or command injection patterns; (5) If exploitation is suspected, immediately isolate the device and audit for unauthorized access or data exfiltration; (6) Update to latest firmware as soon as vendor releases patched versions. Vendor advisory links and patch download URLs should be obtained directly from the manufacturer's security page or product support portal.

More in IoT

View all
CVE-2025-45988 CRITICAL POC
9.8 Jun 13

A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-29128 CRITICAL POC
10.0 Mar 05

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

CVE-2025-63624 CRITICAL POC
9.8 Feb 03

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the

CVE-2026-25139 CRITICAL POC
9.1 Feb 04

RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o

CVE-2025-5875 HIGH POC
8.8 Jun 09

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available

CVE-2025-34023 HIGH POC
8.5 Jun 20

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth

CVE-2025-48466 HIGH POC
8.1 Jun 24

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

CVE-2026-27177 HIGH POC
7.2 Feb 18

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in

CVE-2025-7503 CRITICAL
10.0 Jul 11

CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect

CVE-2025-64090 CRITICAL
10.0 Jan 09

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

CVE-2026-1633 CRITICAL
10.0 Feb 04

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)

CVE-2025-40805 CRITICAL
10.0 Jan 13

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc

Share

CVE-2025-48890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy