What is the CVSS score of EUVD-2025-21033?

EUVD-2025-21033 has a CVSS 4.0 base score of 7.5 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 46.6%.

Is there a public PoC exploit available for EUVD-2025-21033?

Yes, a public proof-of-concept exploit is available for EUVD-2025-21033. Prioritise patching immediately. EPSS: 46.6%.

How to fix or mitigate EUVD-2025-21033?

Within 24 hours: Identify all Polycom HDX Series endpoints in your environment and document current firmware versions. Within 7 days: Apply the vendor-released security patch to all HDX endpoints, prioritizing systems in high-security areas or handling sensitive communications. Within 30 days: Disable or restrict Telnet access to devcmds console on all Polycom endpoints via network segmentation and access controls; verify patch deployment across 100% of HDX fleet.

EUVD-2025-21033

| CVE-2025-34093 HIGH

OS Command Injection (CWE-78)

2025-07-10 disclosure@vulncheck.com

RCE Command Injection

7.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:28 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.1.11

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21033

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

PoC Detected

Jul 15, 2025 - 13:14 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

HIGH 7.5

DescriptionCVE.org

An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.

AnalysisAI

Polycom HDX Series video conferencing systems contain an authenticated command injection in the LAN traceroute function. The devcmds console accessible over Telnet allows injection of shell metacharacters through the traceroute target parameter, enabling arbitrary command execution on the conferencing endpoint.

Technical ContextAI

The devcmds console accessible via Telnet provides network diagnostic commands. The lan traceroute command passes the target parameter to a system call without sanitization. An attacker with Telnet credentials can inject shell commands that execute on the Polycom device's underlying Linux system.

RemediationAI

Disable Telnet access and use SSH. Change default credentials. Isolate video conferencing endpoints on a dedicated VLAN. Monitor Telnet/SSH access logs for unauthorized logins.

EUVD-2025-21033 vulnerability details – vuln.today

Back

EUVD-2025-21033

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code