Skip to main content

Curo UC300 CVE-2025-57457

HIGH
OS Command Injection (CWE-78)
2025-10-08 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Admin-panel injection requires low-privileged authentication (PR:L); network-reachable management interface justifies AV:N per the supplied vector, and command execution yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:45 vuln.today

DescriptionCVE.org

An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter.

AnalysisAI

OS command injection in the Curo UC300 (firmware 5.42.1.7.1.63R1) unified communications device lets an authenticated attacker with admin-panel access run arbitrary operating-system commands by injecting shell metacharacters into the "IP Addr" parameter. Successful exploitation yields full command execution on the underlying device (high confidentiality, integrity, and availability impact). A public GitHub repository referenced by NVD indicates publicly available exploit code exists, though the flaw is not listed in CISA KEV and its EPSS probability is modest (1.15%, 63rd percentile).

Technical ContextAI

The Curo UC300 is a unified-communications / VoIP endpoint whose web-based Admin panel accepts an "IP Addr" input that is passed to an underlying OS command without adequate sanitization. This is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) failure: user-controlled text intended to be an IP address is concatenated into a shell invocation (likely a network utility such as ping or a network-config routine), so shell metacharacters (;, |, `, $()) break out of the intended argument and execute attacker-supplied commands with the privileges of the web/management process. No CPE strings were supplied in the input, so the only firmware confirmed affected is the exact build named in the description, 5.42.1.7.1.63R1.

Affected ProductsAI

The Curo UC300 unified-communications device running firmware version 5.42.1.7.1.63R1 is the only build named as affected; other versions are neither confirmed vulnerable nor confirmed safe from the available data. No CPE strings were provided to enumerate exact configurations, and no vendor advisory URL was supplied - the sole reference is a third-party GitHub repository (https://github.com/restdone/CVE-2025-57457/tree/main) cited by NVD, which appears to host proof-of-concept material rather than an official fix.

RemediationAI

No vendor-released patch identified at time of analysis, and no fixed firmware version is provided in the input, so the primary mitigation is to restrict access to the UC300 Admin panel: place the management interface on an isolated management VLAN, block it from untrusted networks, and enforce strong, unique admin credentials plus MFA if supported, since exploitation requires low-privileged admin-panel authentication. Where feasible, avoid exposing the device web/management interface to the internet and monitor the "IP Addr" field and network-utility functions for anomalous input, accepting that these controls reduce but do not eliminate risk from an authenticated insider. Contact Curo/CommScope for a patched firmware release and consult the referenced GitHub repository (https://github.com/restdone/CVE-2025-57457/tree/main) to understand exploit specifics; do not rely on any invented version number, as none was supplied.

Share

CVE-2025-57457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy