EUVD-2025-17401
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
Analysis
Post-authentication command injection vulnerability in the AT+MFRULE command affecting Microhard BulletLTE-NA2 and IPn4Gii-NA2 products, allowing authenticated local attackers to achieve privilege escalation through improper argument delimiter neutralization (CWE-88). With a CVSS score of 7.1 and no general fix available at publication, this vulnerability presents a moderate-to-high risk for systems where local authentication access can be obtained. The vulnerability has not been reported as actively exploited in public KEV catalogs, but the lack of available patches and the privilege escalation potential warrant immediate assessment and mitigation planning.
Technical Context
This vulnerability exploits insufficient input validation in Microhard's AT command interface, specifically the AT+MFRULE command handler used in their cellular modem products (BulletLTE-NA2 and IPn4Gii-NA2). The root cause is classified under CWE-88 (Argument Injection), where user-supplied arguments are not properly neutralized before being processed in command execution contexts. The AT command set is a legacy serial/modem control protocol that remains prevalent in embedded cellular devices and IoT gateways. The affected products are Microhard industrial-grade cellular modems commonly deployed in remote monitoring, SCADA systems, and critical infrastructure. The AT+MFRULE command likely manages firewall or routing rules, making it a high-value target for local privilege escalation once initial authenticated access is gained.
Affected Products
Microhard BulletLTE-NA2: All versions (specific patched versions not identified in CVE record at publication). Microhard IPn4Gii-NA2: All versions (specific patched versions not identified in CVE record at publication). CPE identifiers likely include variants of cpe:2.3:h:microhard:bulletlte-na2:*:*:*:*:*:*:*:* and cpe:2.3:h:microhard:ipn4gii-na2:*:*:*:*:*:*:*:*, though exact CPE strings should be verified against NIST NVD. No vendor advisory URL is provided in the CVE description, suggesting either Microhard has not published a public advisory or the CVE record lacks external references at time of analysis.
Remediation
1. **Patch Management**: Contact Microhard directly to determine patch/firmware update availability. At CVE publication, no general fix was available; request status on firmware versions resolving CVE-2025-35007. 2. **Access Control Mitigation**: Restrict local access to Microhard devices via physical security, VPN segmentation, or host-based access controls; implement principle of least privilege for user accounts with AT command interface access. 3. **Network Segmentation**: Isolate affected devices on dedicated VLANs or air-gapped networks where feasible. 4. **Input Validation Workaround**: If device management interface is accessible, review AT+MFRULE command logs for suspicious argument patterns (e.g., unescaped pipe characters, semicolons, backticks). 5. **Monitoring**: Deploy IDS/IPS rules to detect abnormal AT command sequences on serial/modem interfaces if network-accessible. 6. **Vendor Communication**: Monitor Microhard security advisories and CERT/CC alerts for patch releases. Escalate to vendor if no remediation timeline is provided.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today