CVE-2025-55423
CRITICAL
2026-01-20
[email protected]
9.8
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Lifecycle Timeline
3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 30, 2026 - 20:07 vuln.today
Public exploit code
CVE Published
Jan 20, 2026 - 18:16 nvd
CRITICAL 9.8
Tags
Command Injection
A104 Firmware
A604mu Firmware
Ax2004 Firmware
N2plus I Firmware
N104k Firmware
A8004t Firmware
Ax2002mesh Firmware
Ax8004bcm Firmware
Q604 Firmware
N704v3 Firmware
A604v Firmware
A2004 Firmware
A6ns M Firmware
N7004ns Firmware
A2004se Firmware
A3004ns Bcm Firmware
Ax3004bcm Firmware
N1v Firmware
A2004plus Firmware
N104r Firmware
N604plus I Firmware
N104q Firmware
N604s Firmware
Ax8008m Firmware
N6 Firmware
N8004v Firmware
N704e Firmware
A2004nsplus Firmware
T3008 Firmware
N604eplus Firmware
A604g Mu Firmware
A6004ns M Firmware
A3004 Dual Firmware
Ew302n Firmware
N602e Firmware
N5 Firmware
A304 Firmware
A604se Firmware
N604rplus I Firmware
N102eplus Firmware
N804t3 Firmware
A3008 Mu Firmware
N804r Firmware
A604r Firmware
Ax3004itl Firmware
A5004ns M Firmware
N2v Firmware
A9004m X2 Firmware
A604g Skylife Firmware
N2vs Firmware
T5004 Firmware
A3003ns Firmware
N702bcm Firmware
N104 Black Firmware
A704ns Bcm Firmware
A2008 Firmware
N1plus I Firmware
A2004ns R Firmware
N702eplus Firmware
N702e Firmware
N2plus Firmware
N704qca Firmware
N704ns Firmware
A604m Firmware
N104e Firmware
T3004 Firmware
A3004ns M Firmware
N104plus I Firmware
N604t Firmware
N704eplus Firmware
A3004tw Firmware
N702r Firmware
N904ns Firmware
T5008 Firmware
A2004r Firmware
N2eplus Firmware
N604a Firmware
N604v Firmware
A604 V5 Firmware
A1004v Firmware
N8004r Firmware
A8ns M Firmware
A8004ns M Firmware
A7ns Firmware
N1e Firmware
A6004mx Firmware
V304 Firmware
A2004ns Firmware
N804a3 Firmware
N704bcm Firmware
T24000m Firmware
N904v Firmware
N804v Firmware
A2004ns Mu Firmware
A6004ns Firmware
A3002mesh Firmware
A2003ns Mu Firmware
N104eplus Firmware
N3 Firmware
N2e Firmware
A8004bcm Firmware
A1 Firmware
N104q I Firmware
A604 Firmware
A2004mu Firmware
T16000m Firmware
A7004m Firmware
A804ns Mu Firmware
A8004itl Firmware
N104plus Firmware
Smart Firmware
Q304 Firmware
A104ns Firmware
A1004ns Firmware
Ax2004bcm Firmware
N604r Firmware
N804 Firmware
Q1 Firmware
N604se Firmware
N804t Firmware
N804a Firmware
T16000 Firmware
N602se Firmware
Q504 Firmware
Ax8004m Firmware
V508 Firmware
N104v Firmware
N704 A3 Firmware
N604plus Firmware
N6004r Firmware
A104r Firmware
A3004ns Dual Firmware
N102e Firmware
A8004t Xr Firmware
Ax11000 Firmware
N604tplus Firmware
N604vplus Firmware
N604 Black Firmware
A3004t Firmware
N604e Firmware
N904plus Firmware
A5004ns Firmware
A3004m Firmware
N5 I Firmware
Ax2004m Firmware
A1004 Firmware
N904 Firmware
V504 Firmware
N600 Firmware
A2003mu Firmware
N3 I Firmware
A604 V3 Firmware
N102i Firmware
N102iplus Firmware
N602eplus Firmware
A3 Firmware
N104s R1 Firmware
A3004ns Firmware
N604rplus Firmware
A9004m Firmware
A3004 Firmware
T24000 Firmware
N1plus Firmware
Description
A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.
Analysis
Multiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attackers to execute arbitrary OS commands through crafted UPnP requests.
Technical Context
The upnp_relay() function in multiple ipTIME routers fails to sanitize UPnP control messages (CWE-94), allowing attackers to inject OS commands through crafted UPnP requests processed by the router.
Affected Products
['Multiple ipTIME router models']
Remediation
Update router firmware. Disable UPnP if not needed. ipTIME routers should be checked for firmware updates regularly.
Priority Score
70
Low
Medium
High
Critical
KEV: 0
EPSS: +0.6
CVSS: +49
POC: +20
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).