CVE-2025-67113 identifies a critical OS command injection vulnerability in the CWMP client (/ftl/bin/cwmp) of the Small Cell Sercomm SCE4255W device, specifically in firmware versions prior to DG3934v3@2308041842. The vulnerability arises from improper sanitization of the TR-069 Download URL parameter, which is passed unescaped into the firmware upgrade pipeline. The CWMP client is responsible for managing device configuration and firmware upgrades via the TR-069 protocol, which communicates with an Auto Configuration Server (ACS). An attacker who controls or compromises the ACS endpoint can craft a malicious Download URL that injects arbitrary OS commands executed with root privileges on the device. This leads to full system compromise, enabling attackers to execute any commands, potentially install persistent malware, disrupt device operation, or use the device as a pivot point into internal networks. The vulnerability does not require user interaction but does require control over the ACS server, which is typically restricted but can be targeted via supply chain attacks or insider threats. No public exploits or patches are currently available, and no CVSS score has been assigned. The vulnerability was reserved in December 2025 and published in March 2026. The affected product is used in small cell infrastructure, notably FreedomFi Englewood deployments, which are part of private and public 5G networks. The lack of input validation in the firmware upgrade process represents a critical security flaw that must be addressed promptly.

The impact of CVE-2025-67113 is severe for organizations deploying the affected Small Cell Sercomm SCE4255W devices. Successful exploitation grants attackers root-level control over the device, enabling them to execute arbitrary commands, modify firmware, disrupt network services, or establish persistent backdoors. This can lead to complete device compromise, loss of confidentiality, integrity, and availability of the small cell infrastructure. Since these devices are often part of 5G private or public network deployments, attackers could leverage compromised devices to intercept or manipulate network traffic, degrade service quality, or launch further attacks against connected enterprise or carrier networks. The requirement for ACS endpoint control limits the attack surface but does not eliminate risk, especially if ACS servers are misconfigured, exposed, or compromised. The vulnerability could also facilitate supply chain attacks or insider threats targeting telecommunications infrastructure. Overall, the threat poses a significant risk to network reliability, data privacy, and operational continuity for organizations relying on these small cells.

To mitigate CVE-2025-67113, organizations should: 1) Immediately restrict access to the ACS server to trusted administrators and networks, employing strong authentication and network segmentation to prevent unauthorized control. 2) Monitor ACS server logs and network traffic for suspicious Download URL requests or anomalous firmware upgrade activities. 3) Apply firmware updates from Sercomm as soon as they become available that address this vulnerability. 4) If updates are not yet available, consider disabling remote firmware upgrades or implementing strict validation and filtering of TR-069 parameters at the ACS level. 5) Conduct regular security audits of ACS server configurations and access controls to minimize risk of compromise. 6) Employ network-level protections such as firewalls and intrusion detection systems to detect and block exploitation attempts. 7) Educate operational teams on the risks of ACS endpoint compromise and enforce strict operational security practices. 8) Consider deploying endpoint detection and response (EDR) solutions on network infrastructure to detect unusual command execution patterns indicative of exploitation.