CVE-2025-13605 CRITICAL

CVE-2025-13605: Shell command injection in 3onedata GW1101-1D(RS-485)-TB-P modbus gateway

Vendor 3Onedata

Product GW1101-1D(RS-485)-TB-P

Weakness CWE-78

Published May 4, 2026

Last update May 4, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353

Key dates

02Disclosure timeline

May 4, 2026 CVE published

May 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13605 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2025-13605

CWE CWE-78

CVSS 9.3 / CRITICAL

Affected versions