EUVD-2025-17411

| CVE-2025-3460 HIGH
2025-06-08 [email protected]
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 19:17 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:17 euvd
EUVD-2025-17411
PoC Detected
Jan 21, 2026 - 16:02 vuln.today
Public exploit code
CVE Published
Jun 08, 2025 - 21:15 nvd
HIGH 7.7

Tags

Command Injection Qcs Ax3 T8 Firmware Qv942c Firmware Qsr10gu Firmware Qv840 Firmware Qv840c Firmware Qhs710 Firmware Qcs Ax3 T12 Firmware Qsr10ga Firmware Qcs Ax2 S5 Firmware Qv860 Firmware Qcs Ax2 A12 Firmware Qcs Ax2 T12 Firmware Qv952c Firmware Qd840 Firmware Qv940 Firmware Qcs Ax2 T8 Firmware Qcs Ax3 S5 Firmware Qcs Ax3 A12 Firmware

Description

The Quantenna Wi-Fi chipset ships with a local control script, set_tx_pow, that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Analysis

Command injection vulnerability in Quantenna Wi-Fi chipset control scripts (specifically the set_tx_pow utility) that allows local, unauthenticated attackers to execute arbitrary commands with elevated privileges. The vulnerability affects Quantenna Wi-Fi chipset SDK through version 8.0.0.28 and remains unpatched at the time of disclosure, though the vendor has issued a best practices guide. An attacker with local access can leverage CWE-88 (argument injection) to compromise system integrity and confidentiality.

Technical Context

The Quantenna Wi-Fi chipset SDK includes a local control script (set_tx_pow) responsible for transmit power configuration on Wi-Fi interfaces. This script fails to properly sanitize and neutralize command-line argument delimiters (CWE-88), allowing an attacker to inject shell metacharacters or additional commands into the argument processing logic. The vulnerability resides in the command construction phase where user-supplied input is concatenated directly into system calls without proper escaping, quoting, or parameterized command construction. This is a classic argument injection flaw distinct from simple command injection, where delimiters themselves become the attack vector rather than shell command separators. Affected products include devices implementing Quantenna Wi-Fi chipsets (CPE pattern: qualcomm-quantenna products) across multiple OEM implementations (routers, access points, embedded systems). The root cause is improper input validation in a privileged local utility.

Affected Products

Quantenna Wi-Fi Chipset SDK (Through version 8.0.0.28)

Remediation

Best practices mitigation: Apply Quantenna vendor-issued best practices guide for safe implementation of set_tx_pow and similar control scripts Input validation workaround: For integrators: Rewrite set_tx_pow to use parameterized command execution (exec() with array arguments in interpreted languages, or execlp/execvp in C) instead of shell command construction Monitoring: Monitor for unexpected calls to set_tx_pow with unusual arguments (e.g., semicolons, pipes, backticks, $() syntax)

Priority Score

59
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +38
POC: +20

Share

EUVD-2025-17411 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy