Skip to main content

3onedata GW1101-1D Modbus Gateway EUVD-2025-209614

| CVE-2025-13605 CRITICAL
OS Command Injection (CWE-78)
2026-05-04 CERT-PL
Command Injection
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
May 04, 2026 - 17:16 vuln.today
Patch available
May 04, 2026 - 16:02 EUVD
CVSS changed
May 04, 2026 - 15:22 NVD
9.3 (CRITICAL)
Patch released
May 04, 2026 - 15:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2025-209614
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:52 nvd
CRITICAL 9.3

DescriptionNVD

3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353

AnalysisAI

Command injection in 3onedata GW1101-1D(RS-485)-TB-P Modbus gateway allows authenticated high-privilege users on adjacent networks to execute arbitrary shell commands as root via malicious input in the IP address field of diagnostic test tools. Exploitation requires administrative credentials and adjacent network access (CVSS 4.0: 9.3 AV:A/AC:L/PR:H). SSVC assessment indicates no active exploitation, non-automatable attack, with total technical impact. Fixed in firmware version 3.0.59B2024080600R4353.

Technical ContextAI

This vulnerability affects 3onedata's GW1101-1D(RS-485)-TB-P industrial Modbus gateway device (hardware version V2.2.0), which provides protocol conversion between Modbus RTU/TCP and cellular networks for industrial IoT deployments. The flaw is a classic OS command injection (CWE-78) in the device's web-based diagnostic utilities. The IP address input field in diagnosis test tools (likely ping, traceroute, or similar network diagnostic features) fails to sanitize user input before passing it to system shell commands. Since the gateway's web interface runs with root privileges (common in embedded devices), successful injection grants complete system control. The CPE identifier confirms this affects the specific GW1101-1D(RS-485)-TB-P model across all firmware versions prior to the patched release.

RemediationAI

Upgrade to firmware version 3.0.59B2024080600R4353 or later, available from 3onedata. This is the vendor-confirmed fix version that resolves the command injection vulnerability. For environments unable to immediately patch, implement network-based compensating controls: (1) Restrict administrative interface access to dedicated management VLANs with strict IP whitelisting, eliminating adjacent network access paths. (2) Disable or remove diagnostic test tool functionality if not operationally required - this eliminates the attack surface entirely but may impact troubleshooting capabilities. (3) Implement command execution monitoring/logging on the device if supported, to detect injection attempts (though this provides detection, not prevention). (4) Enforce principle of least privilege by creating read-only operator accounts instead of sharing full administrative credentials, though this may limit legitimate administrative functions. Verify patch application by checking firmware version in device management interface post-upgrade. Reference CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2025-13605 for additional vendor guidance.

Share

EUVD-2025-209614 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy