CVE-2025-8480 | THREATINT

Description

Alpine iLX-507 Command Injection Remote Code Execution. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Tidal music streaming application. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26357.

PUBLISHED Reserved 2025-08-01 | Published 2025-08-01 | Updated 2025-08-07 | Assigner zdi

HIGH: 8.0CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unknown

6.0.000

affected

References

www.zerodayinitiative.com/advisories/ZDI-25-766/ (ZDI-25-766)

cve.org (CVE-2025-8480)

nvd.nist.gov (CVE-2025-8480)

Download JSON