Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Multiple wireless router models from Sapido have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. The affected models are out of support; replacing the device is recommended.
AnalysisAI
CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.
Technical ContextAI
This vulnerability exploits improper input validation in OS command execution paths within Sapido router firmware (affected CPE families likely include cpe:2.3:o:sapido:router_firmware). CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates the firmware fails to sanitize user-supplied input before passing it to shell command execution functions (likely system(), popen(), exec() or similar OS-level calls). This is a classic command injection flaw where special shell metacharacters (;, |, &, $(), backticks, etc.) are not filtered, allowing attackers to chain arbitrary commands. Given Sapido's consumer router product line, the vulnerable code is likely in web interface request handlers or management protocol parsers that accept configuration or diagnostic parameters.
RemediationAI
No vendor patch is available; devices are out-of-support. Remediation options: (1) REPLACEMENT (recommended): Retire affected Sapido routers and replace with current-generation hardware from vendors maintaining active security support; (2) NETWORK ISOLATION: If replacement is not immediate, isolate vulnerable routers from untrusted networks via air-gap, restricted VLAN, or disabling remote management (WAN access to admin interface); (3) FIRMWARE AUDIT: Check for third-party firmware projects (OpenWrt, DD-WRT) offering community patches for Sapido hardware—some legacy routers receive community support beyond vendor EOL; (4) MONITORING: Implement network IDS/IPS rules to detect OS command injection payloads (signatures for shell metacharacters in HTTP parameters to router management ports); (5) ACCESS CONTROLS: Restrict router management interface access to trusted internal IPs only, disable UPnP, and change default credentials. Do NOT rely on firmware updates from Sapido—device must be replaced for genuine security remediation.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19048