CVE-2025-35005 HIGH

CVE-2025-35005: Microhard Bullet-LTE and IPn4Gii AT+MFMAC Argument Injection

Vendor Microhard
Product IPn4Gii / Bullet-LTE Firmware
Weakness CWE-88
Published June 8, 2025
Last update June 9, 2025

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFMAC command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

Key dates

02Disclosure timeline

June 8, 2025 CVE published
June 9, 2025 Record updated