CVE-2025-35007 HIGH

CVE-2025-35007: Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection

Vendor Microhard
Product IPn4Gii / Bullet-LTE Firmware
Weakness CWE-88
Published June 8, 2025
Last update June 9, 2025

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

Key dates

02Disclosure timeline

June 8, 2025 CVE published
June 9, 2025 Record updated

Related vulnerabilities

04Related CVE