CVE-2025-5145
📋 TL;DR
A critical command injection vulnerability in Netcore networking devices allows remote attackers to execute arbitrary commands on affected systems. This affects multiple Netcore router and access point models through manipulation of query strings in the web interface's CGI handler. Organizations using these devices are at risk of complete system compromise.
💻 Affected Systems
- Netcore NBR1005GPEV2
- Netcore B6V2
- Netcore COVER5
- Netcore NAP830
- Netcore NAP930
- Netcore NBR100V2
- Netcore NBR200V2
- Netcore POWER13
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to persistent backdoor installation, data exfiltration, network pivoting, and device bricking.
Likely Case
Unauthenticated remote code execution allowing attacker to gain shell access, modify configurations, and use device as pivot point.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.
🎯 Exploit Status
Public exploit code available on GitHub, making trivial exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check Netcore vendor website for firmware updates
2. Download latest firmware for your specific model
3. Backup current configuration
4. Upload and apply firmware update via web interface
5. Restart device
6. Restore configuration if needed
🔧 Temporary Workarounds
Disable web management interface
allDisable the vulnerable CGI web interface if not required for management
Specific commands vary by model - consult device documentation
Network access control
linuxRestrict access to management interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules
- Implement network monitoring and IDS/IPS rules to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or SSH. If version date is 20250508 or earlier, device is vulnerable.Check Version:
curl -k https://device-ip/status.cgi | grep versionVerify Fix Applied:
Verify firmware version shows date after 20250508 and test with known safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual CGI process execution
- Suspicious commands in web logs
- Multiple failed login attempts followed by successful command execution
Network Indicators:
- HTTP requests to /www/cgi-bin/ with command injection patterns
- Outbound connections from device to unknown IPs
SIEM Query:
source="web_logs" AND uri="/www/cgi-bin/*" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")