Neterbit NW-431F Router CVE-2025-67447
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The network diagnosis (ping) module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's ping command. An attacker can inject arbitrary OS commands, which will be executed with the privileges of the web server.
AnalysisAI
OS command injection in the Neterbit NW-431F Router (firmware 20241014-IR03 and earlier) allows remote unauthenticated attackers to execute arbitrary commands via the ping diagnostic module's IP address field. With a CVSS of 9.8 and a low-complexity network attack vector, exploitation runs with web-server privileges and no public exploit has been identified at time of analysis, though a researcher-published reference on GitHub may contain technical details.
Technical ContextAI
The vulnerable component is the network diagnosis (ping) feature exposed by the embedded web management interface of the Neterbit NW-431F router. The root cause is classic shell metacharacter injection (CWE-78 class, though CWE is listed as N/A in the input): the firmware passes user-supplied IP input directly to the underlying system ping binary without sanitization or argument separation, so characters such as ';', '|', '&', or backticks break out of the intended argument and are interpreted by the shell. Embedded SOHO routers typically run BusyBox-based Linux with the web daemon executing as root or a privileged service account, which makes any command-injection sink in a CGI-style handler effectively a remote shell. The CPE record provided (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate the actual hardware/firmware product, so MITRE has not yet structured the affected platform identifier.
RemediationAI
No vendor-released patch identified at time of analysis - neither the MITRE record nor the supplied references point to a fixed firmware build. As compensating controls, immediately disable WAN-side remote administration on the NW-431F so the web UI is not reachable from the internet (trade-off: loss of remote management convenience), restrict LAN access to the admin interface to a dedicated management VLAN or specific source IPs via ACL (trade-off: more complex network topology), and change default admin credentials if not already done so that any auth gate in front of the ping page is enforced. Where possible, block outbound connections initiated by the router to untrusted destinations to limit post-exploitation callbacks, and monitor the device for unexpected processes or configuration changes. Contact Neterbit (https://neterbit.com/) to request a firmware update addressing the unsanitized input handler in the ping diagnostic, and consult https://github.com/fun-beep/CVEs/tree/main/CVE-2025-67447 for the researcher's technical writeup that may indicate the specific endpoint and parameter to filter at a network proxy.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today