Skip to main content

Neterbit NW-431F Router CVE-2025-67447

CRITICAL
OS Command Injection (CWE-78)
2026-06-04 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 18:00 vuln.today

DescriptionCVE.org

The network diagnosis (ping) module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's ping command. An attacker can inject arbitrary OS commands, which will be executed with the privileges of the web server.

AnalysisAI

OS command injection in the Neterbit NW-431F Router (firmware 20241014-IR03 and earlier) allows remote unauthenticated attackers to execute arbitrary commands via the ping diagnostic module's IP address field. With a CVSS of 9.8 and a low-complexity network attack vector, exploitation runs with web-server privileges and no public exploit has been identified at time of analysis, though a researcher-published reference on GitHub may contain technical details.

Technical ContextAI

The vulnerable component is the network diagnosis (ping) feature exposed by the embedded web management interface of the Neterbit NW-431F router. The root cause is classic shell metacharacter injection (CWE-78 class, though CWE is listed as N/A in the input): the firmware passes user-supplied IP input directly to the underlying system ping binary without sanitization or argument separation, so characters such as ';', '|', '&', or backticks break out of the intended argument and are interpreted by the shell. Embedded SOHO routers typically run BusyBox-based Linux with the web daemon executing as root or a privileged service account, which makes any command-injection sink in a CGI-style handler effectively a remote shell. The CPE record provided (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate the actual hardware/firmware product, so MITRE has not yet structured the affected platform identifier.

RemediationAI

No vendor-released patch identified at time of analysis - neither the MITRE record nor the supplied references point to a fixed firmware build. As compensating controls, immediately disable WAN-side remote administration on the NW-431F so the web UI is not reachable from the internet (trade-off: loss of remote management convenience), restrict LAN access to the admin interface to a dedicated management VLAN or specific source IPs via ACL (trade-off: more complex network topology), and change default admin credentials if not already done so that any auth gate in front of the ping page is enforced. Where possible, block outbound connections initiated by the router to untrusted destinations to limit post-exploitation callbacks, and monitor the device for unexpected processes or configuration changes. Contact Neterbit (https://neterbit.com/) to request a firmware update addressing the unsanitized input handler in the ping diagnostic, and consult https://github.com/fun-beep/CVEs/tree/main/CVE-2025-67447 for the researcher's technical writeup that may indicate the specific endpoint and parameter to filter at a network proxy.

Share

CVE-2025-67447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy