CVE-2025-1038 | THREATINT

Description

The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device.

PUBLISHED Reserved 2025-02-04 | Published 2025-10-28 | Updated 2025-10-28 | Assigner Hitachi Energy

HIGH: 7.5CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

8.7.0.0 (custom) before 8.9.6.0

affected

References

publisher.hitachienergy.com/...DocumentPartId=&Action=Launch

cve.org (CVE-2025-1038)

nvd.nist.gov (CVE-2025-1038)

Download JSON