CVE-2025-8648 MEDIUM

CVE-2025-8648: Kenwood DMX958XR Firmware Update Command Injection Vulnerability

Vendor Kenwood

Product DMX958XR

Weakness CWE-78

Published August 6, 2025

Last update August 6, 2025

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Physical

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26271.

Key dates

02Disclosure timeline

August 6, 2025 CVE published

August 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-8648 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2025-8648: Kenwood DMX958XR Firmware Update Command Injection Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE