CVE-2025-35006: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Microhard IPn4Gii / Bullet-LTE Firmware
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFPORTFWD command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
AI Analysis
Technical Summary
CVE-2025-35006 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE firmware products, specifically those incorporating the BulletLTE-NA2 and IPn4Gii-NA2 modules. The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. This flaw exists in the handling of the AT+MFPORTFWD command, which is used for port forwarding configuration. An authenticated user with limited privileges can exploit this vulnerability by injecting malicious command arguments through the AT+MFPORTFWD interface. This injection can lead to privilege escalation, allowing the attacker to gain higher-level access than originally permitted. The CVSS v3.1 base score is 7.1, indicating a high severity level. The vector details (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) specify that the attack requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and results in high confidentiality and integrity impact (C:H/I:H) but no impact on availability (A:N). At the time of publication, no patches or fixes have been released, and no known exploits have been observed in the wild. The vulnerability poses a significant risk in environments where these devices are deployed, especially since the affected command is related to network configuration, potentially allowing attackers to manipulate network traffic or device behavior after privilege escalation.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, particularly for those relying on Microhard IPn4Gii and Bullet-LTE modules in critical communication infrastructure. These devices are often used in industrial IoT, remote telemetry, and private LTE networks, which are common in sectors such as manufacturing, utilities, transportation, and emergency services. Exploitation could allow attackers to escalate privileges and alter network forwarding rules, potentially intercepting, redirecting, or disrupting sensitive communications. This could lead to data breaches compromising confidentiality, manipulation of operational data affecting integrity, and indirect operational disruptions. Given the vulnerability requires local access and authentication, insider threats or attackers who have gained initial footholds in the network could leverage this flaw to deepen their control. The lack of a patch increases the window of exposure. Additionally, the high confidentiality and integrity impact ratings suggest that sensitive data and system configurations are at risk, which could have regulatory and compliance implications under GDPR and other European cybersecurity frameworks.
Mitigation Recommendations
Since no official patches are available, European organizations should implement compensating controls to mitigate risk. These include: 1) Restricting access to the management interfaces of affected devices strictly to trusted personnel and networks, using network segmentation and strong access control lists (ACLs). 2) Enforcing multi-factor authentication (MFA) for device management to reduce the risk of credential compromise. 3) Monitoring and logging all AT command usage, especially AT+MFPORTFWD commands, to detect anomalous or unauthorized activity. 4) Applying strict input validation and command filtering at network gateways or proxy devices if possible, to prevent injection attempts. 5) Conducting regular audits of device configurations and privilege assignments to minimize the number of users with elevated privileges. 6) Preparing incident response plans specifically addressing potential exploitation scenarios. 7) Engaging with the vendor for updates and patches, and planning for timely deployment once available. 8) Considering device replacement or firmware upgrades if the risk cannot be adequately mitigated in critical environments.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Finland
CVE-2025-35006: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Microhard IPn4Gii / Bullet-LTE Firmware
Description
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFPORTFWD command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
AI-Powered Analysis
Technical Analysis
CVE-2025-35006 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE firmware products, specifically those incorporating the BulletLTE-NA2 and IPn4Gii-NA2 modules. The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. This flaw exists in the handling of the AT+MFPORTFWD command, which is used for port forwarding configuration. An authenticated user with limited privileges can exploit this vulnerability by injecting malicious command arguments through the AT+MFPORTFWD interface. This injection can lead to privilege escalation, allowing the attacker to gain higher-level access than originally permitted. The CVSS v3.1 base score is 7.1, indicating a high severity level. The vector details (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) specify that the attack requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and results in high confidentiality and integrity impact (C:H/I:H) but no impact on availability (A:N). At the time of publication, no patches or fixes have been released, and no known exploits have been observed in the wild. The vulnerability poses a significant risk in environments where these devices are deployed, especially since the affected command is related to network configuration, potentially allowing attackers to manipulate network traffic or device behavior after privilege escalation.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, particularly for those relying on Microhard IPn4Gii and Bullet-LTE modules in critical communication infrastructure. These devices are often used in industrial IoT, remote telemetry, and private LTE networks, which are common in sectors such as manufacturing, utilities, transportation, and emergency services. Exploitation could allow attackers to escalate privileges and alter network forwarding rules, potentially intercepting, redirecting, or disrupting sensitive communications. This could lead to data breaches compromising confidentiality, manipulation of operational data affecting integrity, and indirect operational disruptions. Given the vulnerability requires local access and authentication, insider threats or attackers who have gained initial footholds in the network could leverage this flaw to deepen their control. The lack of a patch increases the window of exposure. Additionally, the high confidentiality and integrity impact ratings suggest that sensitive data and system configurations are at risk, which could have regulatory and compliance implications under GDPR and other European cybersecurity frameworks.
Mitigation Recommendations
Since no official patches are available, European organizations should implement compensating controls to mitigate risk. These include: 1) Restricting access to the management interfaces of affected devices strictly to trusted personnel and networks, using network segmentation and strong access control lists (ACLs). 2) Enforcing multi-factor authentication (MFA) for device management to reduce the risk of credential compromise. 3) Monitoring and logging all AT command usage, especially AT+MFPORTFWD commands, to detect anomalous or unauthorized activity. 4) Applying strict input validation and command filtering at network gateways or proxy devices if possible, to prevent injection attempts. 5) Conducting regular audits of device configurations and privilege assignments to minimize the number of users with elevated privileges. 6) Preparing incident response plans specifically addressing potential exploitation scenarios. 7) Engaging with the vendor for updates and patches, and planning for timely deployment once available. 8) Considering device replacement or firmware upgrades if the risk cannot be adequately mitigated in critical environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- AHA
- Date Reserved
- 2025-04-15T20:40:30.571Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6846c60e7b622a9fdf1e793d
Added to database: 6/9/2025, 11:31:26 AM
Last enriched: 7/9/2025, 11:42:47 AM
Last updated: 8/12/2025, 1:03:48 PM
Views: 15
Related Threats
CVE-2025-55164: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in helmetjs content-security-policy-parser
HighCVE-2025-3089: CWE-639 Authorization Bypass Through User-Controlled Key in ServiceNow ServiceNow AI Platform
MediumCVE-2025-54864: CWE-306: Missing Authentication for Critical Function in NixOS hydra
MediumCVE-2025-54800: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NixOS hydra
HighCVE-2025-8452: CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory in Brother Industries, Ltd HL-L8260CDN
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.