CVE-2025-11073 is a command injection vulnerability identified in the Keyfactor RG-EW5100BE device, specifically in the firmware version EW_3.0B11P280_EW5100BE-PRO_12183019. The vulnerability resides in an HTTP POST request handler component, within the /cgi-bin/luci/api/cmd endpoint. The flaw arises from improper sanitization or validation of the 'url' argument, which allows an attacker to inject arbitrary commands that the system executes. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector. The CVSS 4.0 base score is 5.1, categorized as medium severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no privileges required (PR:H indicates high privileges required, but the description and vector seem conflicting; however, the CVSS vector states PR:H, meaning privileges are required, which reduces the risk somewhat). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). There is no scope change or security requirements involved. No patches or mitigations have been published yet, and no known exploits are currently observed in the wild, though a public exploit exists. This vulnerability could allow an attacker to execute arbitrary commands on the device, potentially leading to unauthorized control, data leakage, or disruption of device functionality. Given the device is likely used in network infrastructure or security contexts, exploitation could have broader network implications.

For European organizations, the impact of this vulnerability could be significant depending on the deployment of the Keyfactor RG-EW5100BE devices within their infrastructure. Since the device appears to be a network or security appliance, successful exploitation could lead to unauthorized command execution, enabling attackers to manipulate device configurations, intercept or redirect network traffic, or disrupt services. This could compromise the confidentiality and integrity of sensitive data and impact availability of critical network functions. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which rely heavily on secure network devices, could face operational disruptions and data breaches. Furthermore, if these devices are part of a larger security framework, their compromise could serve as a pivot point for lateral movement within corporate networks, increasing the risk of widespread compromise. The medium severity rating suggests a moderate risk, but the lack of authentication requirement for exploitation (if confirmed) elevates the threat level. European entities must assess their exposure based on device usage and firmware versions.

Given the absence of official patches, European organizations should immediately inventory their Keyfactor RG-EW5100BE devices and verify firmware versions. If vulnerable versions are detected, organizations should consider the following mitigations: 1) Isolate affected devices from untrusted networks to limit exposure to remote attacks. 2) Implement strict network access controls and firewall rules to restrict access to the /cgi-bin/luci/api/cmd endpoint, allowing only trusted management hosts. 3) Monitor network traffic and device logs for unusual POST requests targeting the vulnerable endpoint, indicating potential exploitation attempts. 4) Disable or restrict the vulnerable API endpoint if possible, or apply custom filtering on input parameters to prevent command injection. 5) Engage with Keyfactor support for guidance and request expedited patch releases. 6) Employ network segmentation to reduce the impact of a compromised device. 7) Prepare incident response plans specifically addressing potential device compromise scenarios. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.