Home

Description

A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.

PUBLISHED Reserved 2025-04-15 | Published 2025-06-26 | Updated 2025-11-17 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version
affected

References

www.szwifisky.com/ product

www.cnvd.org.cn/flaw/show/CNVD-2021-45363 third-party-advisory

s4e.io/...-7-layer-flow-control-router-remote-code-execution third-party-advisory

www.variotdbs.pl/vuln/VAR-202107-1715/ third-party-advisory

vulncheck.com/advisories/wifisky-flow-control-router-rce third-party-advisory

github.com/...n/http/vulnerabilities/other/wifisky7-rce.yaml

cve.org (CVE-2025-34044)

nvd.nist.gov (CVE-2025-34044)

Download JSON