CVE-2025-5146 is a command injection vulnerability identified in multiple Netcore router models, including NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2, and NBR200V2, affecting firmware versions up to 20250508. The vulnerability resides in the passwd_set function within the /usr/bin/routerd binary, specifically in the HTTP Header Handler component. An attacker can manipulate the 'pwd' argument to inject arbitrary commands, which the router executes with elevated privileges. This flaw allows remote attackers to execute arbitrary commands on the device without requiring authentication or user interaction, as the attack vector is network-based (AV:N) and the attack complexity is low (AC:L). The CVSS 4.0 base score is 5.3, indicating medium severity, with partial impacts on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The affected devices are commonly used in small to medium enterprise and residential environments, making them attractive targets for attackers seeking to compromise network infrastructure or pivot into internal networks. The lack of available patches at the time of disclosure further exacerbates the risk, necessitating immediate mitigation efforts.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Compromised routers can lead to unauthorized access to internal networks, data exfiltration, and disruption of services. Given that these Netcore devices are often deployed in office environments and branch locations, exploitation could facilitate lateral movement by attackers, undermining confidentiality and integrity of sensitive corporate data. Additionally, attackers could leverage compromised routers to launch further attacks, including man-in-the-middle, DNS hijacking, or as part of botnets for distributed denial-of-service (DDoS) campaigns. The medium severity score reflects partial but meaningful impacts on confidentiality, integrity, and availability, which can translate into financial losses, reputational damage, and regulatory non-compliance under GDPR if personal data is affected. The remote and unauthenticated nature of the exploit increases the urgency for European organizations to address this vulnerability promptly.

Organizations should immediately inventory their network infrastructure to identify the presence of affected Netcore router models and firmware versions. In the absence of an official patch, network administrators should implement compensating controls such as restricting remote management access to trusted IP addresses via firewall rules, disabling HTTP management interfaces if not required, or switching to secure management protocols like SSH or VPN-based access. Network segmentation should be enforced to isolate vulnerable devices from critical systems. Continuous monitoring for unusual network traffic or command execution patterns on these devices is recommended. Additionally, organizations should engage with Netcore support channels to obtain firmware updates or security advisories and apply patches as soon as they become available. Regular backups of router configurations and a tested incident response plan will aid in rapid recovery if exploitation occurs.