EUVD-2025-17399
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNNETSP command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
Analysis
Post-authentication command injection vulnerability in the AT+MNNETSP command affecting Microhard BulletLTE-NA2 and IPn4Gii-NA2 products, allowing authenticated local users to achieve privilege escalation through improper argument delimiter neutralization. With a CVSS 7.1 score, high confidentiality and integrity impact, and no widespread patch availability at disclosure, this vulnerability poses a moderate-to-significant risk to organizations deploying these industrial LTE modems. The post-authentication requirement limits immediate exposure but represents a critical internal threat vector for privilege escalation once system access is obtained.
Technical Context
This vulnerability exists in the AT command interface of Microhard's industrial-grade LTE modem products (BulletLTE-NA2 and IPn4Gii-NA2), which are widely deployed in remote monitoring, IoT gateway, and critical infrastructure applications. The AT+MNNETSP command fails to properly neutralize argument delimiters, an instance of CWE-88 (Argument Injection), allowing an authenticated user to inject arbitrary commands that execute with elevated privileges. AT commands are standardized modem control protocols, and improper input validation in command parsing is a known attack surface in telecommunications equipment. The vulnerability likely stems from insufficient input sanitization when parsing command parameters, allowing shell metacharacters or command separators to bypass intended argument boundaries and execute unintended system commands.
Affected Products
Microhard Systems products: BulletLTE-NA2 (all versions prior to patch release); IPn4Gii-NA2 (all versions prior to patch release). These are industrial LTE modem products commonly integrated into gateway devices, remote monitoring systems, and critical infrastructure applications. CPE identifiers would follow pattern: cpe:2.3:h:microhard:bulletlte-na2:*:*:*:*:*:*:*:* and cpe:2.3:h:microhard:ipn4gii-na2:*:*:*:*:*:*:*:*. OEMs and systems integrators incorporating these modems into larger products (routers, gateways, industrial controllers) should be identified as secondary affected parties. Vendor advisory from Microhard Systems is the authoritative source for affected version ranges and patch availability.
Remediation
Immediate actions: (1) Restrict AT command access to trusted users only via access control lists on the modem management interface; (2) Implement input validation and sanitization filters for AT+MNNETSP command parameters to reject shell metacharacters and command separators; (3) Run modems with minimal necessary privileges to limit privilege escalation scope. Long-term: (1) Monitor Microhard Systems security advisories and obtain patched firmware versions when available; (2) For critical deployments, implement network segmentation to isolate modem management interfaces; (3) Deploy intrusion detection rules to monitor for suspicious AT command sequences; (4) Consider product replacement with alternatives offering better security practices if patches are delayed. Vendor patch availability should be confirmed directly with Microhard Systems support; no specific version numbers are provided in the current disclosure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today