CVE-2025-50475

Published: Jul 31, 2025Modified: Jul 31, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname parameter in network configuration requests. This vulnerability stems from improper neutralization of special elements used in an OS command within the network configuration handler, enabling remote code execution with the highest privileges.

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://drive.google.com/file/d/1ZmZHzJKU-nrhFXd9w94aiGXYYYldtmni/view?usp=sharing

Source: cve@mitre.org

https://pastebin.com/ic8hkC5V

Source: cve@mitre.org

https://pastebin.com/raw/0U6F55G5

Source: cve@mitre.org

Timeline

No history available yet.