CVE-2025-48978 is a high-severity vulnerability affecting Ubiquiti Inc's EdgeMAX EdgeSwitch devices running firmware version 1.11.0 and earlier. The vulnerability stems from improper input validation, specifically categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')). This flaw allows a remote attacker with access to the network adjacent to the EdgeSwitch to perform command injection attacks. By exploiting this vulnerability, an attacker can execute arbitrary commands on the underlying operating system of the EdgeSwitch device without requiring any authentication or user interaction. The vulnerability is accessible only to actors who have access to the adjacent network, meaning the attacker must be on a network segment that can communicate directly with the EdgeSwitch management interface or services. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack requires adjacent network access and high attack complexity, no privileges or user interaction are needed, and the impact on confidentiality, integrity, and availability is high. The vulnerability was published on August 21, 2025, and the vendor has released a patch in version 1.11.1 to remediate the issue. No known exploits in the wild have been reported yet. The vulnerability's root cause is improper input validation that allows malicious input to be interpreted as system commands, potentially leading to full system compromise of the EdgeSwitch device.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Ubiquiti EdgeMAX EdgeSwitch devices for their network infrastructure. Successful exploitation could lead to complete compromise of the switch, allowing attackers to manipulate network traffic, disrupt network availability, exfiltrate sensitive data, or pivot to other internal systems. Given the critical role of network switches in enterprise and service provider environments, this could result in widespread network outages, data breaches, and loss of operational continuity. The requirement for adjacent network access somewhat limits remote exploitation but does not eliminate risk, as attackers could gain such access through compromised internal hosts, VPN connections, or misconfigured network segments. The high impact on confidentiality, integrity, and availability makes this vulnerability particularly dangerous in environments handling sensitive data, including financial institutions, healthcare providers, and government agencies across Europe.

Organizations should immediately verify the firmware version of their EdgeMAX EdgeSwitch devices and upgrade to version 1.11.1 or later, where the vulnerability has been patched. Network segmentation should be enforced to restrict access to the management interfaces of EdgeSwitch devices, limiting adjacency to trusted administrative networks only. Implement strict access control lists (ACLs) and firewall rules to prevent unauthorized lateral movement within the network. Monitoring and logging of network switch management traffic should be enhanced to detect unusual command execution or configuration changes. Additionally, organizations should conduct internal network scans to identify any unauthorized devices or compromised hosts that could provide an attacker with adjacent network access. Employing network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics for command injection attempts targeting EdgeSwitch devices can provide early warning. Finally, maintain an up-to-date asset inventory and ensure that all network infrastructure devices are included in vulnerability management programs.