CVE-2025-34093 HIGH

CVE-2025-34093: Polycom HDX Series Telnet Command Injection via lan traceroute

Vendor Polycom
Product HDX Series
Weakness CWE-78
Published July 10, 2025
Last update April 7, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.

Key dates

02Disclosure timeline

July 10, 2025 CVE published
April 7, 2026 Record updated