CVE-2025-67113 is an OS command injection vulnerability identified in the CWMP client binary (/ftl/bin/cwmp) of the Small Cell Sercomm SCE4255W device, specifically in firmware versions prior to DG3934v3@2308041842. The vulnerability arises because the TR-069 Download URL parameter, which is used during the firmware upgrade process, is passed into the upgrade pipeline without proper escaping or sanitization. This allows a remote attacker who controls the Auto Configuration Server (ACS) endpoint to inject arbitrary OS commands. Since the CWMP client runs with root privileges, exploitation leads to full system compromise, enabling attackers to execute any command on the device with the highest privileges. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The flaw is classified under CWE-94 (Improper Control of Generation of Code), indicating that untrusted input is directly used in command execution. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. No patches or known exploits are currently documented, but the risk is significant given the device's role in network infrastructure and the potential for attackers to leverage this for persistent access or lateral movement.

The impact of CVE-2025-67113 is severe for organizations deploying the affected Small Cell Sercomm SCE4255W devices, particularly in telecommunications and enterprise network environments. Exploitation allows attackers to gain root-level control over the device remotely, potentially leading to full compromise of the device and any connected network segments. This can result in unauthorized data access, manipulation, disruption of network services, and the establishment of persistent backdoors. Given the device's role in small cell network infrastructure, attackers could disrupt cellular coverage or intercept sensitive communications. The vulnerability also poses risks to supply chain security if attackers use compromised devices as footholds for broader attacks. The lack of authentication and user interaction requirements increases the likelihood of exploitation, especially if ACS endpoints are exposed or poorly secured. Organizations worldwide relying on these devices for network extension or private cellular deployments face significant operational and reputational risks.

To mitigate CVE-2025-67113, organizations should immediately restrict access to the ACS endpoints by implementing network segmentation, firewall rules, and VPNs to ensure only trusted management systems can communicate with the CWMP client. Monitoring and logging of TR-069 traffic should be enhanced to detect anomalous or unexpected firmware download requests. Until an official firmware patch is released, consider disabling remote firmware upgrades or replacing affected devices with alternatives that do not expose this vulnerability. Vendors and integrators should prioritize releasing and deploying firmware updates that properly sanitize and escape the Download URL parameter to prevent command injection. Additionally, implement strict input validation and employ security best practices such as running CWMP clients with least privilege where feasible. Regular vulnerability scanning and penetration testing focused on TR-069 interfaces can help identify exploitation attempts. Finally, educate network administrators about the risks of exposing ACS endpoints to untrusted networks.