CVE-2025-35007: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Microhard IPn4Gii / Bullet-LTE Firmware
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
AI Analysis
Technical Summary
CVE-2025-35007 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE firmware products, specifically those incorporating the BulletLTE-NA2 and IPn4Gii-NA2 modules. The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. This flaw exists in the handling of the AT+MFRULE command, which is used to configure firewall or filtering rules on the device. Because the input to this command is not properly sanitized, an authenticated attacker with at least limited privileges can inject additional command arguments or delimiters, leading to unintended command execution. This can result in privilege escalation, allowing the attacker to gain higher-level access than initially permitted. The CVSS 3.1 base score is 7.1, indicating a high severity level. The vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) shows that the attack requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). At the time of publication, no patches or fixes have been released, and no known exploits are reported in the wild. The vulnerability affects firmware versions labeled as '0', which likely means all current versions or an unspecified range. Given the nature of the affected devices—industrial cellular routers and modems used for LTE connectivity in critical infrastructure and industrial IoT environments—the vulnerability poses a significant risk if exploited, potentially allowing attackers to manipulate device configurations, bypass security controls, and gain unauthorized control over network traffic routing or filtering.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Microhard IPn4Gii and Bullet-LTE devices for critical communications infrastructure. These devices are often deployed in industrial automation, smart grid systems, transportation networks, and remote monitoring setups. Exploitation could lead to unauthorized privilege escalation, enabling attackers to alter firewall rules or network policies, potentially disrupting communications or enabling lateral movement within the network. Confidentiality and integrity of sensitive data transmitted through these devices could be compromised, leading to data breaches or manipulation of operational commands. Given the low complexity and lack of required user interaction, attackers with limited access could leverage this flaw to escalate privileges and gain persistent control. This risk is heightened in environments where physical or network access controls are insufficient. The absence of a patch increases exposure time, and organizations may face compliance and operational risks if these devices are part of regulated infrastructure. Additionally, the potential for attackers to manipulate network traffic could facilitate further attacks, including espionage or sabotage, impacting critical European industries and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately audit all Microhard IPn4Gii and Bullet-LTE devices to identify affected firmware versions and isolate devices where possible. 2) Restrict access to device management interfaces to trusted personnel and networks only, employing network segmentation and strict access control lists (ACLs) to limit exposure. 3) Enforce strong authentication mechanisms and monitor for unusual command usage or privilege escalation attempts on these devices. 4) Employ network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect anomalous AT command traffic or suspicious configuration changes. 5) Engage with Microhard or authorized vendors to obtain firmware updates or patches as soon as they become available, and plan for timely deployment. 6) Where feasible, implement compensating controls such as out-of-band management or additional logging to detect and respond to exploitation attempts. 7) Conduct regular security training for administrators managing these devices to recognize and respond to potential exploitation indicators. 8) Consider temporary operational changes, such as disabling the AT+MFRULE command or limiting its usage, if supported by the device, until a patch is applied.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Finland
CVE-2025-35007: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Microhard IPn4Gii / Bullet-LTE Firmware
Description
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
AI-Powered Analysis
Technical Analysis
CVE-2025-35007 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE firmware products, specifically those incorporating the BulletLTE-NA2 and IPn4Gii-NA2 modules. The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. This flaw exists in the handling of the AT+MFRULE command, which is used to configure firewall or filtering rules on the device. Because the input to this command is not properly sanitized, an authenticated attacker with at least limited privileges can inject additional command arguments or delimiters, leading to unintended command execution. This can result in privilege escalation, allowing the attacker to gain higher-level access than initially permitted. The CVSS 3.1 base score is 7.1, indicating a high severity level. The vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) shows that the attack requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). At the time of publication, no patches or fixes have been released, and no known exploits are reported in the wild. The vulnerability affects firmware versions labeled as '0', which likely means all current versions or an unspecified range. Given the nature of the affected devices—industrial cellular routers and modems used for LTE connectivity in critical infrastructure and industrial IoT environments—the vulnerability poses a significant risk if exploited, potentially allowing attackers to manipulate device configurations, bypass security controls, and gain unauthorized control over network traffic routing or filtering.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Microhard IPn4Gii and Bullet-LTE devices for critical communications infrastructure. These devices are often deployed in industrial automation, smart grid systems, transportation networks, and remote monitoring setups. Exploitation could lead to unauthorized privilege escalation, enabling attackers to alter firewall rules or network policies, potentially disrupting communications or enabling lateral movement within the network. Confidentiality and integrity of sensitive data transmitted through these devices could be compromised, leading to data breaches or manipulation of operational commands. Given the low complexity and lack of required user interaction, attackers with limited access could leverage this flaw to escalate privileges and gain persistent control. This risk is heightened in environments where physical or network access controls are insufficient. The absence of a patch increases exposure time, and organizations may face compliance and operational risks if these devices are part of regulated infrastructure. Additionally, the potential for attackers to manipulate network traffic could facilitate further attacks, including espionage or sabotage, impacting critical European industries and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately audit all Microhard IPn4Gii and Bullet-LTE devices to identify affected firmware versions and isolate devices where possible. 2) Restrict access to device management interfaces to trusted personnel and networks only, employing network segmentation and strict access control lists (ACLs) to limit exposure. 3) Enforce strong authentication mechanisms and monitor for unusual command usage or privilege escalation attempts on these devices. 4) Employ network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect anomalous AT command traffic or suspicious configuration changes. 5) Engage with Microhard or authorized vendors to obtain firmware updates or patches as soon as they become available, and plan for timely deployment. 6) Where feasible, implement compensating controls such as out-of-band management or additional logging to detect and respond to exploitation attempts. 7) Conduct regular security training for administrators managing these devices to recognize and respond to potential exploitation indicators. 8) Consider temporary operational changes, such as disabling the AT+MFRULE command or limiting its usage, if supported by the device, until a patch is applied.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- AHA
- Date Reserved
- 2025-04-15T20:40:30.571Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6846c60e7b622a9fdf1e793f
Added to database: 6/9/2025, 11:31:26 AM
Last enriched: 7/9/2025, 11:43:09 AM
Last updated: 7/31/2025, 3:18:12 AM
Views: 10
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.