What the vulnerability does
01Description
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.
CVSS base score
—
CISA mandated remediation
02CISA Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Key dates
03Disclosure timeline
September 27, 2021
CVE published
October 21, 2025
Record updated
External resources
04References
Related vulnerabilities
05Related CVE
CVE-2025-5525 Jrohy trojan linux.go LogChan os command injection
CVE-2026-39382 dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output
CVE-2024-3659 Command injection in KAON AR2140 routers
CVE-2021-1264 Cisco DNA Center Command Runner Command Injection Vulnerability
CVE-2024-9139 OS Command Injection in Restricted Command
