CVE-2025-3626 CRITICAL

CVE-2025-3626: OS Command Injection via Config Upload in WebUI

Vendor Frauscher

Product FDS102

Weakness CWE-78

Published July 7, 2025

Last update July 7, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.

Key dates

02Disclosure timeline

July 7, 2025 CVE published

July 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-3626 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

04Related CVE

CVE-2026-2157 D-Link DIR-823X set_static_route_table sub_4175CC os command injection CVE-2022-2024 OS Command Injection in gogs/gogs CVE-2026-25933 Arduino App Lab has Improper Data Validation in Internal Terminal Interface CVE-2023-6304 Tecno 4G Portable WiFi TR118 Ping Tool goform_get_cmd_process os command injection CVE-2026-11341 D-Link DWR-M920 formIMEISetup sub_412DA0 os command injection