CVE-2025-13658 | THREATINT

Description

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.

PUBLISHED Reserved 2025-11-25 | Published 2025-12-02 | Updated 2025-12-02 | Assigner icscert

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

6.309 (custom)

affected

Credits

Concerned OT Engineer finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-336-01 government-resource

cve.org (CVE-2025-13658)

nvd.nist.gov (CVE-2025-13658)