CVE-2025-35009 is a high-severity vulnerability affecting Microhard's IPn4Gii-NA2 and BulletLTE-NA2 devices, specifically in their firmware. The flaw is a post-authentication command injection vulnerability classified under CWE-88, which involves improper neutralization of argument delimiters in commands, also known as argument injection. The vulnerability resides in the AT+MNNETSP command interface, which is used for network configuration. An authenticated attacker with at least low privileges can exploit this vulnerability by injecting malicious arguments into the command, leading to privilege escalation. This means the attacker can execute arbitrary commands with elevated privileges on the device, potentially compromising the confidentiality and integrity of the system. The CVSS 3.1 base score is 7.1, reflecting a high severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). At the time of disclosure, no patches or fixes have been released, increasing the risk for organizations using these devices. The vulnerability is significant because these devices are used in critical communication infrastructure, often in industrial, transportation, or remote connectivity scenarios, where secure and reliable network access is essential. Exploitation could allow attackers to manipulate device configurations, intercept or redirect network traffic, or disrupt operational processes by gaining unauthorized control over the device.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Microhard IPn4Gii and BulletLTE devices for critical network connectivity in industrial IoT, transportation, or remote monitoring applications. Successful exploitation could lead to unauthorized access to sensitive network configurations, enabling attackers to intercept or manipulate data flows, compromise operational integrity, or escalate privileges to control other connected systems. This could result in data breaches, operational disruptions, or loss of trust in network reliability. Given the post-authentication requirement, insider threats or compromised credentials could facilitate exploitation. The lack of available patches increases the window of exposure. Organizations in sectors such as manufacturing, utilities, logistics, and public infrastructure that deploy these devices are at higher risk. Additionally, the high confidentiality and integrity impact means sensitive data and system configurations could be exposed or altered, potentially leading to regulatory compliance issues under GDPR and other European data protection laws.

To mitigate this vulnerability, European organizations should first inventory all Microhard IPn4Gii and BulletLTE devices in their environment to identify affected firmware versions. Since no official patches are available yet, organizations should implement compensating controls: restrict access to device management interfaces to trusted administrators only, enforce strong authentication mechanisms, and monitor for unusual command usage or privilege escalation attempts. Network segmentation should be employed to isolate these devices from critical network segments and limit lateral movement. Implement strict access controls and logging on management interfaces to detect and respond to suspicious activities promptly. Where possible, disable or restrict the use of the vulnerable AT+MNNETSP command or limit its accessibility. Engage with Microhard for updates or firmware patches and plan for timely deployment once available. Additionally, consider deploying intrusion detection systems tailored to detect command injection patterns or anomalous device behavior. Regularly review and update credentials to reduce the risk of post-authentication exploitation.