CVE-2025-35010 is a high-severity vulnerability affecting Microhard's IPn4Gii and Bullet-LTE-NA2 firmware products. The flaw is classified under CWE-88, which involves improper neutralization of argument delimiters in commands, commonly known as argument injection. Specifically, the vulnerability exists in the AT+MNPINGTM command interface, which is used for network diagnostics. An authenticated attacker with at least limited privileges (PR:L) can exploit this flaw by injecting malicious command arguments due to insufficient sanitization of input delimiters. This injection can lead to privilege escalation, granting the attacker higher-level access than intended. The CVSS 3.1 base score is 7.1, indicating a high severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. This means the attack requires local access (e.g., via a management interface), low attack complexity, and privileges, but no user interaction. The impact on confidentiality and integrity is high, while availability is not affected. As of the initial publication date, no patches or fixes have been released, increasing the risk for organizations using these devices. The vulnerability is particularly critical because these devices are often deployed in industrial, critical infrastructure, or remote communication environments where LTE connectivity is essential. Exploitation could allow attackers to execute arbitrary commands with elevated privileges, potentially compromising network integrity and data confidentiality.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Microhard IPn4Gii and Bullet-LTE devices for critical communications infrastructure, industrial control systems, or remote telemetry. Successful exploitation could lead to unauthorized access to sensitive network segments, manipulation of device configurations, interception or alteration of data flows, and disruption of operational continuity. Given the high confidentiality and integrity impact, attackers could exfiltrate sensitive information or inject malicious commands to alter device behavior, potentially causing cascading effects in connected systems. The lack of availability impact reduces the risk of outright denial of service, but stealthy compromise remains a serious concern. Organizations in sectors such as energy, transportation, manufacturing, and telecommunications that deploy these LTE devices could face operational disruptions, regulatory compliance issues (e.g., GDPR breaches due to data exposure), and reputational damage. The post-authentication requirement limits remote exploitation but does not eliminate risk, as insider threats or compromised credentials could facilitate attacks.

1. Immediate mitigation should include restricting access to the management interfaces of affected devices to trusted personnel only, using network segmentation and strong access controls. 2. Implement multi-factor authentication (MFA) where possible to reduce the risk of credential compromise. 3. Monitor device logs and network traffic for unusual command executions or privilege escalations related to the AT+MNPINGTM command. 4. Employ strict input validation and sanitization on any interfaces that accept command inputs, if custom management tools are used. 5. Until an official patch is released, consider deploying compensating controls such as disabling or limiting the use of the vulnerable AT command if feasible. 6. Engage with Microhard for updates and apply firmware patches promptly once available. 7. Conduct regular security audits and penetration testing focused on LTE device management interfaces to detect exploitation attempts. 8. Educate administrators about the risks of post-authentication command injection vulnerabilities and enforce the principle of least privilege for device management accounts.