CVE-2025-8890 is an OS command injection vulnerability classified under CWE-78 affecting the SDMC NE6037 router firmware versions prior to 7.1.12.2.44. The flaw resides in the router's network diagnostics tool, which improperly neutralizes special characters in user input before passing them to the underlying operating system shell. This allows an authenticated attacker with administrative privileges to inject and execute arbitrary shell commands on the router. The administrative portal is, by default, only accessible via LAN ports, which limits remote exploitation but does not eliminate risk from insider threats or compromised internal hosts. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with high impact on confidentiality, integrity, and availability. The attack vector is adjacent network (AV:A), with low attack complexity (AC:L), no user interaction (UI:N), and requires high privileges (PR:H). The vulnerability affects all firmware versions before 7.1.12.2.44, and no patches or exploits have been publicly disclosed yet. The vulnerability was reserved in August 2025 and published in November 2025 by CERT-PL. Exploitation could allow attackers to take full control of the device, manipulate network traffic, or disrupt network operations.

For European organizations, the impact of CVE-2025-8890 can be significant, especially in environments where SDMC NE6037 routers are deployed as critical network infrastructure. Successful exploitation could lead to unauthorized command execution, enabling attackers to alter router configurations, intercept or redirect network traffic, or cause denial of service by disrupting router functionality. This could compromise sensitive data confidentiality, disrupt business operations, and degrade network availability. Since the administrative portal is only accessible via LAN, the threat is primarily from insider attackers or attackers who have gained internal network access through other means, such as compromised endpoints or lateral movement. Organizations with lax internal network segmentation or weak access controls are particularly vulnerable. The vulnerability poses a risk to sectors with high reliance on secure and stable network infrastructure, including government, finance, healthcare, and critical infrastructure providers across Europe.

1. Immediately upgrade all SDMC NE6037 routers to firmware version 7.1.12.2.44 or later once available from the vendor to eliminate the vulnerability. 2. Restrict access to the router's administrative portal strictly to trusted LAN segments and authorized personnel only, using network segmentation and access control lists (ACLs). 3. Implement strong authentication mechanisms for router administration, including multi-factor authentication if supported. 4. Monitor internal network traffic for unusual activity or unauthorized access attempts to the router's management interfaces. 5. Regularly audit router configurations and logs to detect potential exploitation attempts. 6. Employ network intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous command injection patterns or suspicious administrative access. 7. Educate internal staff on the risks of insider threats and enforce strict policies on device access. 8. Consider isolating management interfaces on dedicated management VLANs with limited access. 9. Maintain an up-to-date asset inventory to quickly identify affected devices and prioritize patching. 10. Coordinate with SDMC support for any additional security advisories or patches.