EUVD-2025-17404
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFIP command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
Analysis
Post-authentication command injection vulnerability in the AT+MFIP command affecting Microhard BulletLTE-NA2 and IPn4Gii-NA2 products, enabling authenticated local attackers to achieve privilege escalation through improper argument delimiter neutralization (CWE-88). With a CVSS 7.1 score and no indication of general fixes at publication, this vulnerability presents a moderate-to-high risk for systems using affected modem/gateway products; exploitation requires local access and valid credentials but no user interaction.
Technical Context
The vulnerability exists in the AT command interface (Hayes command protocol) used by Microhard cellular modems. The AT+MFIP command, which likely configures IP-related parameters on these LTE modems, fails to properly sanitize or delimit arguments passed by authenticated users. This is a classic argument injection flaw (CWE-88) where an attacker with local shell access or authenticated command-line interface can inject shell metacharacters or additional commands into the AT+MFIP command string, bypassing intended command boundaries. Microhard's BulletLTE-NA2 and IPn4Gii-NA2 are industrial-grade LTE gateway/modem devices commonly deployed in remote monitoring, IoT, and critical infrastructure applications where they bridge cellular networks to local systems. The AT command parser does not implement proper input validation or escaping, allowing privilege escalation from an authenticated user context to potentially root or modem firmware-level access.
Affected Products
Microhard Systems products incorporating the following modem modules: (1) BulletLTE-NA2—industrial LTE modem/gateway; (2) IPn4Gii-NA2—industrial LTE gateway. CPE strings would likely be: cpe:2.3:h:microhard:bulletlte-na2:*:*:*:*:*:*:*:* and cpe:2.3:h:microhard:ipn4gii-na2:*:*:*:*:*:*:*:*. Any end products (routers, gateways, IoT controllers, telemetry systems) that embed these modems are affected. Specific version information is not disclosed in the CVE, suggesting all firmware versions using these modem chipsets are vulnerable unless explicitly patched. Microhard has not issued general patches as of CVE publication.
Remediation
No vendor patches are explicitly documented as available at CVE publication. Recommended actions: (1) Contact Microhard Systems directly to request security updates or patches for BulletLTE-NA2 and IPn4Gii-NA2 firmware; (2) Implement strong access controls—restrict local shell/serial access to the modems to authorized personnel only, and enforce strong authentication on any AT command interfaces; (3) Network segmentation—isolate cellular gateway devices on restricted networks with minimal lateral movement risk; (4) Monitor AT command logs for suspicious AT+MFIP invocations with unusual argument patterns; (5) Firmware lockdown—disable AT command interfaces if not operationally necessary, or restrict to administrative serial ports only; (6) Consider replacing vulnerable modems with patched alternatives or vendors offering better security practices if Microhard does not issue timely updates. Workarounds are limited due to the architectural nature of the flaw; patching is the primary remediation path.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today