Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell 'ps' command does not perform proper argument sanitization and passes user-supplied parameters into an 'sh -c' invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the 'ps' subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.
AnalysisAI
Authenticated attackers can execute arbitrary commands as root on Perle IOLAN STS and SCS terminal servers (firmware <6.0) by injecting shell metacharacters through the restricted shell's 'ps' command. This command injection flaw (CWE-78) allows full operating system compromise after gaining access via Telnet or SSH. VulnCheck reported this vulnerability with vendor patch now available in firmware 6.0. EPSS score of 0.14% (34th percentile) indicates low predicted exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Technical ContextAI
Perle IOLAN STS (Serial Terminal Server) and SCS (Secure Console Server) devices are enterprise terminal server appliances used for out-of-band management and serial device connectivity. The vulnerability stems from improper input sanitization in the restricted shell's 'ps' command implementation, which internally invokes 'sh -c' with user-supplied arguments running in a privileged context. This is a classic OS command injection vulnerability (CWE-78) where special shell metacharacters (such as semicolons, pipes, backticks, or command substitution syntax) are not properly escaped before being passed to a shell interpreter. The restricted shell is designed to limit user actions, but this implementation flaw bypasses those restrictions by allowing arbitrary command execution through a seemingly innocuous process listing utility. The commands execute with root privileges, completely subverting the intended security boundary. Affected products are identified by CPE strings cpe:2.3:a:perle_systems:iolan_sts:*:*:*:*:*:*:*:* and cpe:2.3:a:perle_systems:iolan_scs:*:*:*:*:*:*:*:* for all firmware versions prior to 6.0.
RemediationAI
Upgrade all affected Perle IOLAN STS and SCS terminal servers to firmware version 6.0 or later, which contains vendor-released patches addressing the command injection vulnerability in the restricted shell's 'ps' command implementation. Firmware downloads and upgrade instructions are available from Perle Systems at https://www.perle.com/downloads/server_sds_sts_rackmount.shtml with device-specific procedures documented in the IOLAN SCS/SDS/STS User Guide at https://www.perle.com/support_services/documentation_pdfs/iolan_scs-sds-sts_ug.pdf. If immediate patching is not feasible, implement compensating controls including restricting network access to IOLAN management interfaces (Telnet/SSH) to dedicated out-of-band management networks with strict firewall rules allowing only trusted administrator IP addresses, enforcing strong authentication policies with complex passwords or certificate-based SSH authentication, disabling Telnet in favor of SSH-only access, implementing multi-factor authentication if supported by the environment, and establishing monitoring for unusual command patterns or failed authentication attempts. Note that network restrictions do not eliminate risk if attackers gain credentials through other means (phishing, credential reuse) but reduce attack surface. These workarounds should be considered temporary measures only, as the underlying code flaw remains exploitable by any authenticated user until firmware is upgraded.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12580