CVE-2025-0680 CRITICAL

CVE-2025-0680: New Rock Technologies Cloud Connected Devices has a Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability.

Vendor New Rock Technologies
Product OM500 IP-PBX
Weakness CWE-78
Published January 30, 2025
Last update January 30, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
January 30, 2025 Record updated