CVE-2025-23237 MEDIUM

CVE-2025-23237

Vendor I-O Data Device, Inc.

Product UD-LT2

Weakness CWE-78

Published January 22, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

6.6/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed.

Key dates

02Disclosure timeline

January 22, 2025 CVE published

February 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-23237

Related vulnerabilities

04Related CVE

CVE-2025-26613 OS Command Injection endpoint 'gerenciar_backup.php' parameter 'file' (RCE) in WeGIA CVE-2021-33548 UDP Technology/Geutebrück camera devices: Command injection in preserve parameter leading to RCE CVE-2025-43875 iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - getOptionsInfo CVE-2024-45698 D-Link WiFi router - OS Command Injection CVE-2025-2367 Oiwtech OIW-2431APGN-HP Personal Script Submenu formScript os command injection

Identifiers

CVE CVE-2025-23237

CWE CWE-78

CVSS 6.6 / MEDIUM

Affected versions

Vendor I-O Data Device, Inc.

Product UD-LT2

Affected firmware Ver.1.00.008_SE and earlier