CVE-2025-52688 is a critical command injection vulnerability (CWE-77) affecting Alcatel-Lucent OmniAccess Stellar access points, specifically models AP1100, AP1200, AP1300, AP1400, and AP1500 running AWOS versions 5.0.2 GA and earlier. The vulnerability arises from improper neutralization of special elements in user-supplied input, allowing an unauthenticated remote attacker to inject arbitrary commands executed with root privileges on the affected access point. This means an attacker can execute system-level commands without any authentication or user interaction, gaining full control over the device. The impact includes complete loss of confidentiality, integrity, and availability of the access point, enabling attackers to manipulate network traffic, disrupt wireless services, or use the compromised device as a foothold for further network intrusion. The CVSS v3.1 base score of 9.8 reflects the critical severity, with attack vector being network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are reported in the wild yet, but the ease of exploitation and severity make this a high-risk vulnerability requiring immediate attention. The lack of available patches at the time of publication increases exposure risk for organizations using affected devices.

For European organizations, this vulnerability poses a significant risk to wireless network infrastructure security. OmniAccess Stellar access points are commonly deployed in enterprise, government, and critical infrastructure environments across Europe. Exploitation could lead to unauthorized access to sensitive internal networks, interception or manipulation of wireless communications, and disruption of business operations due to denial of service or device takeover. The root-level control gained by attackers could also facilitate lateral movement within networks, data exfiltration, or deployment of ransomware. Given the critical role of wireless access points in modern corporate and public networks, this vulnerability threatens confidentiality of communications, integrity of network operations, and availability of wireless services. Organizations in sectors such as finance, healthcare, public administration, and telecommunications are particularly at risk due to the sensitive nature of their data and regulatory compliance requirements under GDPR and other European data protection laws.

Immediate mitigation steps include isolating affected access points from untrusted networks and restricting management interfaces to trusted administrative networks only. Network segmentation should be enforced to limit the blast radius in case of compromise. Organizations should monitor network traffic for unusual command execution patterns or unexpected device behavior indicative of exploitation attempts. Since no patches are available at the time of reporting, consider deploying compensating controls such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom signatures to detect and block command injection attempts targeting these devices. Additionally, disable any unnecessary services or interfaces on the access points to reduce attack surface. Once vendor patches or firmware updates become available, prioritize immediate deployment. Regularly audit device configurations and access logs to detect anomalies. Finally, maintain an incident response plan tailored to wireless infrastructure compromise scenarios to enable rapid containment and recovery.