Home

Description

An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.

PUBLISHED Reserved 2025-08-26 | Published 2025-09-23 | Updated 2025-09-23 | Assigner Carrier




HIGH: 8.5CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

1 (SKU) before 3.1.0.0
affected

Credits

adhkr of LuwakLab working with Trend Micro Zero Day Initiative reporter

References

www.corporate.carrier.com/...-security/advisories-resources/

cve.org (CVE-2025-9494)

nvd.nist.gov (CVE-2025-9494)

Download JSON