CVE-2025-4747 is a command injection vulnerability identified in Bohua NetDragon Firewall version 1.0. The vulnerability arises from improper handling of the 'subnet' argument within the /systemstatus/ip_status.php file. Specifically, the firewall fails to properly sanitize or validate this input, allowing an attacker to inject arbitrary commands that the system executes. This vulnerability can be exploited remotely without requiring user interaction or prior authentication, making it accessible to unauthenticated attackers over the network. The CVSS 4.0 base score is 5.3, indicating a medium severity level, reflecting partial impacts on confidentiality, integrity, and availability, with low complexity and no privileges required. Although the vulnerability is classified as critical in the description, the CVSS score suggests a medium severity due to limited scope and impact. No public exploits are currently known in the wild, but the exploit details have been disclosed publicly, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the NetDragon Firewall product by Bohua, which is a network security appliance designed to monitor and control incoming and outgoing network traffic. The command injection flaw could allow attackers to execute arbitrary system commands on the firewall device, potentially leading to unauthorized access, data leakage, disruption of firewall operations, or pivoting to internal networks. Given the firewall’s role as a security boundary, exploitation could severely undermine network defenses.

For European organizations using Bohua NetDragon Firewall 1.0, this vulnerability poses a significant risk to network security. Successful exploitation could allow attackers to execute arbitrary commands on the firewall, potentially disabling or bypassing security controls, exfiltrating sensitive data, or launching further attacks within the internal network. This could lead to confidentiality breaches, integrity violations, and availability disruptions. Organizations in critical infrastructure sectors, government, finance, and telecommunications are particularly at risk due to the strategic importance of their network defenses. The remote and unauthenticated nature of the exploit increases the threat level, as attackers can target exposed firewall management interfaces over the internet or internal networks without credentials. Although no active exploitation is reported, public disclosure of the exploit details may lead to rapid weaponization. The medium CVSS score suggests partial impact, but the critical role of firewalls in security architectures means even limited compromise can have cascading effects. European entities relying on this specific firewall version should consider the potential for operational disruption and data compromise.

1. Immediate upgrade or patching: Organizations should verify if Bohua has released patches or newer versions addressing CVE-2025-4747 and apply them promptly. If no official patch is available, consider disabling or restricting access to the vulnerable component (/systemstatus/ip_status.php). 2. Network segmentation and access control: Limit access to the firewall management interfaces to trusted administrative networks only, using VPNs or jump hosts. 3. Input validation and filtering: If custom configurations or web application firewalls are in place, implement strict input validation rules to block malicious payloads targeting the 'subnet' parameter. 4. Monitoring and detection: Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious command injection patterns or unusual firewall behavior. 5. Incident response preparedness: Develop and test incident response plans specific to firewall compromise scenarios. 6. Vendor engagement: Engage with Bohua support for guidance and updates. 7. Alternative solutions: Evaluate the feasibility of replacing the vulnerable firewall with a more secure or updated product if patching is not timely. These steps go beyond generic advice by focusing on immediate containment, access restriction, and proactive detection tailored to the firewall’s role and the specific vulnerability vector.