CVE-2025-27262 is a high-severity vulnerability classified under CWE-78, which pertains to improper neutralization of special elements used in an OS command, commonly known as OS Command Injection. This vulnerability affects the Ericsson Indoor Connect 8855 device, a product designed to enhance indoor cellular coverage by acting as a small cell or femtocell solution. The vulnerability allows an attacker with limited privileges (local access) to inject arbitrary OS commands due to insufficient input validation or sanitization of user-supplied data before it is passed to the operating system shell. Exploiting this flaw can lead to privilege escalation, enabling the attacker to execute commands with higher privileges than initially granted, potentially gaining full control over the device. The CVSS 4.0 score of 8.5 reflects a high severity, with the attack vector being local (AV:L), low attack complexity (AC:L), no user interaction required (UI:N), and no need for authentication (AT:N). The vulnerability impacts confidentiality, integrity, and availability at a high level, as the attacker can manipulate system commands and potentially disrupt device operation or exfiltrate sensitive information. There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability was reserved in February 2025 and published in September 2025, indicating recent discovery and disclosure. Given the nature of the device, which is often deployed in enterprise and carrier environments to improve indoor cellular connectivity, the risk extends to network infrastructure and potentially to connected user devices if the compromised device is used as a pivot point.

For European organizations, the impact of this vulnerability can be significant, especially for telecommunications providers, enterprises deploying Ericsson Indoor Connect 8855 units for enhanced indoor coverage, and critical infrastructure entities relying on stable cellular connectivity. Exploitation could lead to unauthorized control over the device, allowing attackers to disrupt indoor cellular services, intercept or manipulate data traffic, or use the compromised device as a foothold for lateral movement within the network. This could affect business continuity, data confidentiality, and service availability. Additionally, given the strategic importance of telecommunications infrastructure in Europe for economic and governmental operations, successful exploitation could have broader implications including regulatory non-compliance and reputational damage. The local attack vector implies that attackers would need some form of local access, which could be achieved through insider threats, compromised internal systems, or physical access in less secure environments.

1. Immediate network segmentation: Isolate Ericsson Indoor Connect 8855 devices on dedicated network segments with strict access controls to limit local access only to trusted administrators and systems. 2. Implement strict physical security controls to prevent unauthorized physical access to the devices. 3. Monitor device logs and network traffic for unusual command execution patterns or privilege escalation attempts. 4. Employ host-based intrusion detection systems (HIDS) on management workstations to detect suspicious activities related to device management. 5. Coordinate with Ericsson for timely release and deployment of security patches or firmware updates addressing CVE-2025-27262. 6. Until patches are available, consider disabling or restricting management interfaces that allow local command execution or limit administrative access to the minimum necessary personnel. 7. Conduct regular security audits and penetration testing focused on the affected devices and their management interfaces. 8. Educate staff on the risks of local access vulnerabilities and enforce strong authentication and authorization policies for device management.