EUVD-2025-17409

| CVE-2025-32455 HIGH
2025-06-08 [email protected]
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:17 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:17 euvd
EUVD-2025-17409
CVE Published
Jun 08, 2025 - 21:15 nvd
HIGH 7.7

Tags

Command Injection RCE Qcs Ax3 A12 Firmware Qsr10ga Firmware Qd840 Firmware Qv840 Firmware Qcs Ax2 T12 Firmware Qcs Ax2 T8 Firmware Qv860 Firmware Qv952c Firmware Qhs710 Firmware Qcs Ax3 S5 Firmware Qcs Ax3 T8 Firmware Qsr10gu Firmware Qcs Ax2 A12 Firmware Qv942c Firmware Qcs Ax3 T12 Firmware Qv840c Firmware Qcs Ax2 S5 Firmware Qv940 Firmware

Description

The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Analysis

A command injection vulnerability exists in the Quantenna Wi-Fi chipset's router_command.sh local control script, allowing unauthenticated local attackers to execute arbitrary commands with high impact on confidentiality and integrity. The vulnerability affects Quantenna Wi-Fi chipset versions through 8.0.0.28 of the latest SDK and remains unpatched as of the CVE publication date, though the vendor has provided best practices guidance rather than a direct patch. With a CVSS score of 7.7 and local attack vector requirements, this poses significant risk to routers and access points using affected Quantenna chipsets, particularly in multi-user or compromised-local-network scenarios.

Technical Context

This vulnerability is classified as CWE-88 (Improper Neutralization of Argument Delimiters in a Command / Argument Injection), a command injection variant distinct from traditional command injection (CWE-78). The flaw exists in the router_command.sh script within the Quantenna Wi-Fi chipset SDK, specifically in how the 'run_cmd' argument is processed. The script fails to properly sanitize or quote shell metacharacters and argument delimiters, allowing an attacker to inject additional shell commands or modify command arguments through crafted input. Quantenna chipsets are commonly integrated into consumer and enterprise Wi-Fi routers and access points as the primary wireless controller; the affected CPE would be 'cpe:2.3:h:quantenna:wifi_chipset:*:*:*:*:*:*:*:*' with version constraints through 8.0.0.28. The vulnerability requires local access to invoke the vulnerable script, making it exploitable through local user accounts, SSH access, or web interfaces that invoke the script backend.

Affected Products

Quantenna Wi-Fi Chipset versions up to and including 8.0.0.28 (latest SDK at time of CVE publication). Affected CPE: cpe:2.3:h:quantenna:wifi_chipset:*:*:*:*:*:*:*:* (all versions ≤ 8.0.0.28). This includes all end-user routers and access points integrating this chipset, such as models from major OEMs (ASUS, Netgear, TP-Link, and others) that license Quantenna technology. Specific OEM product advisories should be cross-referenced, as Quantenna is a chipset vendor; the actual vulnerable products are the routers/APs embedding these chipsets. Vendor advisory: Quantenna has released a 'best practices guide for implementors' rather than a direct patch, indicating mitigation responsibility falls on OEM integrators to apply secure coding practices in their implementations or wait for updated SDK versions.

Remediation

1. **Vendor Patch (Long-term)**: Await Quantenna SDK version > 8.0.0.28 with the command injection flaw remediated. OEM partners should plan chipset SDK upgrades as patches become available. 2. **Immediate Mitigation**: Implement input validation and sanitization in router_command.sh or any wrapper invoking it—specifically, use shell quoting (e.g., single quotes or $'...' syntax) and argument arrays to prevent argument delimiter interpretation. 3. **Workarounds**: OEM integrators should apply the Quantenna best practices guide immediately, which likely includes proper escaping of the run_cmd argument and removal of dangerous shell metacharacters. Restrict access to the vulnerable script via strict ACLs and disable unnecessary local administrative interfaces if possible. 4. **Configuration Hardening**: Disable local SSH/Telnet access to the router CLI if not required; use strong credentials if enabled. 5. **Monitoring**: Log all invocations of router_command.sh and monitor for suspicious argument patterns. 6. **OEM Advisory**: Check with your router/AP manufacturer for a firmware update implementing Quantenna's remediation guidance.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: 0

Share

EUVD-2025-17409 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy