Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3DescriptionCVE.org
The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.
AnalysisAI
Critical vulnerability in Diviotec professional series devices that combines arbitrary command injection via a web interface endpoint with hardcoded credentials, allowing authenticated attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The CVSS 8.6 score reflects the severity of command injection paired with hardcoded passwords that eliminate authentication barriers. This vulnerability affects network-accessible professional series devices and represents an immediate risk in environments where these devices are deployed, particularly where adjacent network access is possible.
Technical ContextAI
The vulnerability resides in the Diviotec professional series web interface (CWE-77: Improper Neutralization of Special Elements used in a Command). The root cause is insufficient input validation on a web endpoint that passes user-supplied data unsanitized to a system command execution function, enabling OS command injection. The presence of hardcoded credentials further degrades security posture by enabling unauthenticated or low-privilege attackers to escalate to command execution. The web interface likely uses a backend service (possibly CGI/PHP or similar) that directly invokes shell commands without proper escaping or use of safer APIs like execve() with parameterized arguments. The combination of both flaws—command injection (CWE-77) and hardcoded passwords (CWE-798)—creates a cascading attack chain requiring minimal attacker sophistication.
RemediationAI
Immediate steps: (1) Apply vendor-supplied firmware patches (check Diviotec support portal for patched professional series firmware version); (2) Until patching is feasible, implement network segmentation to restrict adjacent network access to professional series devices via firewall rules limiting Layer 2/3 access; (3) Change or disable hardcoded credentials if a management interface allows credential updates (consult device documentation); (4) Monitor device logs for exploitation attempts targeting the vulnerable endpoint (search for command injection payloads in web logs); (5) If the vulnerable endpoint function can be disabled without operational impact, consider disabling it as a temporary mitigation. Vendor patch availability must be confirmed with Diviotec; if no patch is available within 90 days, escalate to device manufacturer and consider device replacement or retirement.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16615