CVE-2025-52361 is a local privilege escalation vulnerability found in the AK-Nord USB-Server-LXL Firmware version 0.0.16 (Build 2023-03-13). The vulnerability arises due to insecure permissions set on the script located at /etc/init.d/lighttpd. This script is executed with root privileges both on every system boot and upon any interaction with the system. Because the script permissions are improperly configured, a locally authenticated user with low privileges can modify or edit this script. By doing so, the attacker can inject arbitrary commands that will be executed with root privileges, effectively allowing them to escalate their privileges from a low-privilege user to root. This type of vulnerability is critical in embedded or server devices where local access is possible, as it undermines the fundamental security model by allowing unauthorized root-level control. The vulnerability does not require remote exploitation but does require local authentication, meaning the attacker must have some level of access to the device. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. However, the nature of the vulnerability indicates a severe risk due to the ability to execute arbitrary commands as root, potentially leading to full system compromise, data theft, or disruption of services.

For European organizations using the AK-Nord USB-Server-LXL device, this vulnerability poses a significant risk. If an attacker gains local access—whether through physical access or via compromised credentials—they can escalate privileges to root, bypassing any restrictions placed on low-privilege users. This could lead to unauthorized access to sensitive data, manipulation or deletion of critical files, installation of persistent malware, or disruption of business operations. Organizations relying on these devices for network storage, data sharing, or other server functions could face data breaches or operational downtime. In environments with strict regulatory requirements such as GDPR, unauthorized root access and potential data exfiltration could result in compliance violations and heavy fines. Moreover, since the script executes on every system boot and interaction, the attack surface is broad, increasing the likelihood of exploitation once local access is obtained.

To mitigate this vulnerability, organizations should immediately audit the permissions of the /etc/init.d/lighttpd script on all affected AK-Nord USB-Server-LXL devices. The script should be owned by root with restrictive permissions (e.g., 700 or 750) to prevent modification by non-privileged users. Implementing strict access controls to limit local user accounts and enforcing strong authentication mechanisms will reduce the risk of unauthorized local access. Physical security controls should be enhanced to prevent unauthorized physical access to devices. Additionally, organizations should monitor system logs for any unusual modifications to init scripts or unexpected root-level command executions. Since no patch or update is currently available, consider isolating affected devices from critical networks or replacing them with devices from vendors with a stronger security posture. Regular firmware updates should be tracked and applied once a fix is released by the vendor.