CVE-2025-5147

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability in Netcore routers allows remote attackers to execute arbitrary commands by injecting malicious input into the 'url' parameter of the tools_ping function. Attackers can potentially take full control of affected devices. Organizations using Netcore NBR1005GPEV2, NBR200V2, or B6V2 routers are affected.

💻 Affected Systems

Products:

• Netcore NBR1005GPEV2
• Netcore NBR200V2
• Netcore B6V2

Versions: All versions up to 20250508

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the network_tools utility accessible via web interface or direct access to the function.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use devices as botnet nodes.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication, making exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub, making exploitation trivial for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. If update available, download and verify checksum
3. Backup current configuration
4. Upload firmware via web interface
5. Reboot device
6. Restore configuration if needed

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to router management interface using firewall rules

Disable Unnecessary Services

linux

Disable ping/tools functionality if not required

🧯 If You Can't Patch

• Isolate affected routers in separate VLAN with strict access controls
• Implement network monitoring for suspicious outbound connections from routers

🔍 How to Verify

Check if Vulnerable:

Copy

Check firmware version via web interface or SSH: cat /proc/version or check web admin panel

Check Version:

Copy

cat /proc/version || grep -i version /etc/*release

Verify Fix Applied:

Copy

Verify firmware version is newer than 20250508 and test ping functionality with malicious input

📡 Detection & Monitoring

Log Indicators:

• Unusual command execution in system logs
• Multiple failed ping attempts with unusual parameters
• Process execution from network_tools with suspicious arguments

Network Indicators:

• Outbound connections from router to unusual destinations
• Unexpected SSH or reverse shell connections originating from router

SIEM Query:

Copy

source="router_logs" AND ("tools_ping" OR "network_tools") AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*")

📊 Metadata

CVE ID: CVE-2025-5147

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.37% exploit probability (58th percentile)

Published: May 25, 2025

Last Updated: May 29, 2025

🔗 References

• https://github.com/Exploo0Osion/netcore_command_injection_3
• https://vuldb.com/?ctiid.310235
• https://vuldb.com/?id.310235
• https://vuldb.com/?submit.573682

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5147, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)

CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)

CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)