EUVD-2025-17405Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the sync_time argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.
AnalysisAI
A command injection vulnerability exists in the Quantenna Wi-Fi chipset's router_command.sh script, specifically in the sync_time argument handler, allowing unauthenticated local attackers to execute arbitrary commands with high impact on confidentiality and integrity. The vulnerability affects Quantenna Wi-Fi chipset SDK versions through 8.0.0.28 and remains unpatched as of the CVE publication date, though the vendor has released implementation best practices rather than a direct patch. The CVSS 7.7 score reflects the local attack vector but high-impact consequences; exploitation requires local access but no privileges or user interaction.
Technical ContextAI
The vulnerability is an instance of CWE-88 (Improper Neutralization of Argument Delimiters in a Command), a class of injection flaws where user-controlled input is concatenated into shell commands without proper escaping or validation. The affected component is router_command.sh, a control script bundled with Quantenna Wi-Fi chipsets (likely embedded in routers, access points, and wireless networking devices using Quantenna's silicon). The sync_time argument handler fails to sanitize shell metacharacters and command separators (e.g., ;, |, $()), allowing an attacker with local shell access to break out of the intended argument context and inject arbitrary commands. This is a classic shell injection pattern common in legacy embedded scripts that concatenate user input directly into system() or exec() calls. Quantenna's chipsets are widely integrated into third-party router firmware and networking equipment, making the scope of affected products potentially very broad despite the SDK-level vulnerability.
RemediationAI
Immediate mitigations: (1) Restrict local shell access to router_command.sh via file permissions and access controls; (2) Disable or remove the sync_time feature if not operationally required; (3) Implement input validation at the application layer that calls router_command.sh to reject shell metacharacters in the sync_time argument. Long-term remediation: (1) Contact your router/device OEM for a firmware update that patches the underlying Quantenna SDK or implements proper argument sanitization (e.g., using shell_escape(), avoiding shell interpretation via direct exec with argv array); (2) Replace router_command.sh with a reimplemented version that uses safe argument passing (e.g., direct system calls with argument arrays rather than shell string concatenation); (3) Implement a local input validation layer that strips or rejects characters like ;, |, $, backticks, and newlines before passing arguments to the script. Workaround for integrators: follow Quantenna's released best practices guide for safe script implementation, likely recommending quoted arguments, argument validation, and avoiding eval-like patterns. No official patch version number was provided; recommend checking with your OEM for updates after this CVE publication.
Share
External POC / Exploit Code
Leaving vuln.today