CVE-2025-13605 Overview
CVE-2025-13605 is a command injection vulnerability in the 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P running hardware version V2.2.0. The flaw lets authenticated users execute arbitrary shell commands as root by supplying a crafted payload in the IP address field of the diagnosis test tools. The vendor resolved the issue in firmware version 3.0.59B2024080600R4353. The weakness is tracked under CWE-78, Improper Neutralization of Special Elements used in an OS Command.
Critical Impact
Authenticated adjacent-network attackers can execute arbitrary shell commands as root on the gateway, fully compromising the device and any industrial network segment it bridges.
Affected Products
- 3onedata modbus gateway model GW1101-1D(RS-485)-TB-P
- Hardware version V2.2.0
- Firmware versions prior to 3.0.59B2024080600R4353
Discovery Timeline
- 2026-05-04 - CVE-2025-13605 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2025-13605
Vulnerability Analysis
The 3onedata GW1101-1D(RS-485)-TB-P gateway exposes a web-based diagnostic interface that includes network test tools such as ping or traceroute utilities. These tools accept a target IP address from the user and pass it to an underlying operating system command. The firmware fails to sanitize the IP address parameter before invoking the system shell. An authenticated user can append shell metacharacters to the input and have the gateway execute arbitrary commands. The injected commands run with root privileges because the diagnostic service operates as the superuser. Successful exploitation grants full control of the embedded Linux environment, enabling persistence, traffic interception, and lateral movement into the connected Modbus serial network.
Root Cause
The root cause is improper neutralization of OS command elements in the diagnosis test tool input handler. The IP address field is concatenated directly into a shell command string without input validation, allow-listing, or argument escaping. This pattern is classified as CWE-78 and frequently appears in embedded device diagnostic features.
Attack Vector
The attack requires adjacent network access to the gateway management interface and valid authentication credentials. An attacker submits a request to the diagnosis test tool with a payload such as a benign IP followed by a shell separator and an arbitrary command. The gateway executes the appended command as root. Refer to the CERT Polska CVE-2025-13605 Analysis for additional technical context.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose only.
Detection Methods for CVE-2025-13605
Indicators of Compromise
- Unexpected outbound network connections originating from the gateway management interface to attacker-controlled hosts.
- Diagnostic tool requests where the IP address field contains shell metacharacters such as ;, |, &, backticks, or $().
- New or modified files in writable firmware directories not associated with vendor updates.
- Authentication events for administrative accounts from unusual adjacent-network sources preceding diagnostic tool activity.
Detection Strategies
- Inspect HTTP request bodies and query parameters sent to the gateway diagnostic endpoints for non-IP characters in IP fields.
- Capture and review device syslog or remote logs for shell process executions spawned by the diagnostic service.
- Baseline normal Modbus gateway traffic and alert on deviations such as outbound TCP connections on non-Modbus ports.
Monitoring Recommendations
- Forward gateway logs to a centralized SIEM for correlation with adjacent-network authentication events.
- Monitor firmware version reporting to confirm devices remain on patched builds.
- Restrict and audit the source IP ranges permitted to reach the gateway management interface.
How to Mitigate CVE-2025-13605
Immediate Actions Required
- Upgrade affected gateways to firmware version 3.0.59B2024080600R4353 or later.
- Rotate administrative credentials on all 3onedata gateways after patching to invalidate any captured passwords.
- Restrict management interface access to a dedicated engineering VLAN or jump host.
- Audit recent authentication and diagnostic tool usage logs for evidence of exploitation.
Patch Information
The vendor has resolved the vulnerability in firmware version 3.0.59B2024080600R4353. Apply this firmware to all GW1101-1D(RS-485)-TB-P devices running hardware version V2.2.0. See the CERT Polska CVE-2025-13605 Analysis for advisory details.
Workarounds
- Disable the diagnosis test tools feature where the gateway configuration permits.
- Enforce network segmentation so only trusted operator workstations reach the gateway management plane.
- Apply strict role-based access control and remove unused administrative accounts to reduce the authenticated attack surface.
# Configuration example: restrict management access with an upstream firewall
# Allow only the engineering jump host to reach the gateway web UI
iptables -A FORWARD -s 10.10.50.10/32 -d 10.20.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 10.20.0.0/24 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
