CVE-2025-11073 is a command injection vulnerability identified in the Keyfactor RG-EW5100BE device, specifically in the firmware version EW_3.0B11P280_EW5100BE-PRO_12183019. The vulnerability resides in an HTTP POST request handler component, located at the /cgi-bin/luci/api/cmd endpoint. The issue arises due to improper sanitization or validation of the 'url' argument passed to this endpoint, allowing an attacker to inject arbitrary commands that the system executes. This vulnerability can be exploited remotely without user interaction and does not require authentication, which significantly lowers the barrier for exploitation. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) suggests network attack vector, low attack complexity, no user interaction, but requires high privileges (PR:H) to exploit, with low impacts on confidentiality, integrity, and availability. However, the description states the attack can be launched remotely, which may indicate some ambiguity in privilege requirements or that the attacker must have some form of elevated access. The exploit code is publicly available, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. Since the vulnerability allows command injection, successful exploitation could lead to full system compromise, unauthorized command execution, and potentially lateral movement within networks where the device is deployed. The affected product is a network device from Keyfactor, likely used in enterprise or industrial environments for secure key management or related functions.

For European organizations, this vulnerability poses a moderate risk primarily to those using the Keyfactor RG-EW5100BE device with the specified firmware. Successful exploitation could allow attackers to execute arbitrary commands remotely, potentially leading to unauthorized access, data leakage, or disruption of services. Given the device's role in key management or security infrastructure, compromise could undermine cryptographic operations, impacting confidentiality and integrity of sensitive data. The medium CVSS score reflects limited impact due to required privileges, but the availability of public exploit code increases the threat landscape. Organizations relying on these devices in critical infrastructure, financial services, or government sectors in Europe could face operational disruptions or data breaches if this vulnerability is exploited. The lack of known active exploitation reduces immediate risk but does not eliminate the potential for targeted attacks, especially as exploit code becomes more widespread.

1. Immediate firmware upgrade: Organizations should check for and apply any available patches or firmware updates from Keyfactor addressing this vulnerability. If no patch is currently available, engage with the vendor for timelines and interim mitigations. 2. Network segmentation: Isolate the affected devices from untrusted networks and restrict access to the /cgi-bin/luci/api/cmd endpoint using firewall rules or access control lists to limit exposure. 3. Access control: Enforce strict authentication and authorization policies to ensure only trusted administrators can access management interfaces. 4. Monitoring and logging: Implement enhanced monitoring of network traffic and device logs for unusual POST requests targeting the vulnerable endpoint, and set up alerts for potential exploitation attempts. 5. Disable unnecessary services: If feasible, disable or restrict the vulnerable HTTP POST handler or related services until a patch is applied. 6. Incident response readiness: Prepare to respond to potential incidents involving this device, including isolating compromised devices and conducting forensic analysis.