CVE-2025-35007 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE firmware products, specifically those incorporating the BulletLTE-NA2 and IPn4Gii-NA2 modules. The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. This flaw exists in the handling of the AT+MFRULE command, which is used to configure firewall or filtering rules on the device. Because the input to this command is not properly sanitized, an authenticated attacker with at least limited privileges can inject additional command arguments or delimiters, leading to unintended command execution. This can result in privilege escalation, allowing the attacker to gain higher-level access than initially permitted. The CVSS 3.1 base score is 7.1, indicating a high severity level. The vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) shows that the attack requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). At the time of publication, no patches or fixes have been released, and no known exploits are reported in the wild. The vulnerability affects firmware versions labeled as '0', which likely means all current versions or an unspecified range. Given the nature of the affected devices—industrial cellular routers and modems used for LTE connectivity in critical infrastructure and industrial IoT environments—the vulnerability poses a significant risk if exploited, potentially allowing attackers to manipulate device configurations, bypass security controls, and gain unauthorized control over network traffic routing or filtering.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Microhard IPn4Gii and Bullet-LTE devices for critical communications infrastructure. These devices are often deployed in industrial automation, smart grid systems, transportation networks, and remote monitoring setups. Exploitation could lead to unauthorized privilege escalation, enabling attackers to alter firewall rules or network policies, potentially disrupting communications or enabling lateral movement within the network. Confidentiality and integrity of sensitive data transmitted through these devices could be compromised, leading to data breaches or manipulation of operational commands. Given the low complexity and lack of required user interaction, attackers with limited access could leverage this flaw to escalate privileges and gain persistent control. This risk is heightened in environments where physical or network access controls are insufficient. The absence of a patch increases exposure time, and organizations may face compliance and operational risks if these devices are part of regulated infrastructure. Additionally, the potential for attackers to manipulate network traffic could facilitate further attacks, including espionage or sabotage, impacting critical European industries and services.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately audit all Microhard IPn4Gii and Bullet-LTE devices to identify affected firmware versions and isolate devices where possible. 2) Restrict access to device management interfaces to trusted personnel and networks only, employing network segmentation and strict access control lists (ACLs) to limit exposure. 3) Enforce strong authentication mechanisms and monitor for unusual command usage or privilege escalation attempts on these devices. 4) Employ network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect anomalous AT command traffic or suspicious configuration changes. 5) Engage with Microhard or authorized vendors to obtain firmware updates or patches as soon as they become available, and plan for timely deployment. 6) Where feasible, implement compensating controls such as out-of-band management or additional logging to detect and respond to exploitation attempts. 7) Conduct regular security training for administrators managing these devices to recognize and respond to potential exploitation indicators. 8) Consider temporary operational changes, such as disabling the AT+MFRULE command or limiting its usage, if supported by the device, until a patch is applied.