CVE-2025-13605 | THREATINT

Description

3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353

PUBLISHED Reserved 2025-11-24 | Published 2026-05-04 | Updated 2026-05-04 | Assigner CERT-PL

CRITICAL: 9.3CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Any version before 3.0.59B2024080600R4353

affected

Credits

Jarosław Wawiórko finder

Łukasz Rybak finder

References

cert.pl/en/posts/2026/05/CVE-2025-13605 third-party-advisory

cve.org (CVE-2025-13605)

nvd.nist.gov (CVE-2025-13605)

Download JSON