EUVD-2025-16615

| CVE-2025-5113 HIGH
2025-06-02 [email protected]
8.6
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16615
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
CVE Published
Jun 02, 2025 - 08:15 nvd
HIGH 8.6

Tags

Command Injection

Description

The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.

Analysis

Critical vulnerability in Diviotec professional series devices that combines arbitrary command injection via a web interface endpoint with hardcoded credentials, allowing authenticated attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The CVSS 8.6 score reflects the severity of command injection paired with hardcoded passwords that eliminate authentication barriers. This vulnerability affects network-accessible professional series devices and represents an immediate risk in environments where these devices are deployed, particularly where adjacent network access is possible.

Technical Context

The vulnerability resides in the Diviotec professional series web interface (CWE-77: Improper Neutralization of Special Elements used in a Command). The root cause is insufficient input validation on a web endpoint that passes user-supplied data unsanitized to a system command execution function, enabling OS command injection. The presence of hardcoded credentials further degrades security posture by enabling unauthenticated or low-privilege attackers to escalate to command execution. The web interface likely uses a backend service (possibly CGI/PHP or similar) that directly invokes shell commands without proper escaping or use of safer APIs like execve() with parameterized arguments. The combination of both flaws—command injection (CWE-77) and hardcoded passwords (CWE-798)—creates a cascading attack chain requiring minimal attacker sophistication.

Affected Products

Diviotec professional series (specific version numbers not provided in disclosure but likely encompasses multiple firmware versions prior to a patch release). CPE data unavailable in provided context, but affected product string would be: cpe:2.3:h:diviotec:professional_series:*:*:*:*:*:*:*:* (vendor and product series identified from description). Without specific version boundaries, remediation should target all professional series devices until vendor advisory confirms patched versions. Recommend consulting Diviotec security advisories or contacting vendor support for exact affected firmware versions and patched releases.

Remediation

Immediate steps: (1) Apply vendor-supplied firmware patches (check Diviotec support portal for patched professional series firmware version); (2) Until patching is feasible, implement network segmentation to restrict adjacent network access to professional series devices via firewall rules limiting Layer 2/3 access; (3) Change or disable hardcoded credentials if a management interface allows credential updates (consult device documentation); (4) Monitor device logs for exploitation attempts targeting the vulnerable endpoint (search for command injection payloads in web logs); (5) If the vulnerable endpoint function can be disabled without operational impact, consider disabling it as a temporary mitigation. Vendor patch availability must be confirmed with Diviotec; if no patch is available within 90 days, escalate to device manufacturer and consider device replacement or retirement.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +43
POC: 0

Share

EUVD-2025-16615 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy