CVE-2025-13797: Adslr B-qe2w401 Firmware RCE Vulnerability

CVE-2025-13797 Overview

A command injection vulnerability has been identified in the ADSLR B-QE2W401 router firmware version 250814-r037c. The vulnerability exists in the parameterdel_swifimac function within the /send_order.cgi file, where improper handling of the del_swifimac argument allows attackers to inject and execute arbitrary system commands. This vulnerability can be exploited remotely over the network, requiring only low-privilege authentication to execute.

The exploit for this vulnerability has been made publicly available, significantly increasing the risk of exploitation in the wild. Despite early notification, the vendor (ADSLR) has not responded to the disclosure, leaving affected devices without an official patch.

Critical Impact

Authenticated attackers can remotely execute arbitrary commands on the affected ADSLR B-QE2W401 routers through the del_swifimac parameter, potentially leading to complete device compromise, network pivoting, or botnet recruitment.

Affected Products

• ADSLR B-QE2W401 Firmware version 250814-r037c
• ADSLR B-QE2W401 Hardware

Discovery Timeline

• December 1, 2025 - CVE-2025-13797 published to NVD
• December 11, 2025 - Last updated in NVD database

Technical Details for CVE-2025-13797

Vulnerability Analysis

This command injection vulnerability (CWE-77) represents a critical flaw in the web management interface of ADSLR B-QE2W401 routers. The vulnerability has been assigned a CVSS 4.0 score of 5.3 (MEDIUM severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

The EPSS (Exploit Prediction Scoring System) rates this vulnerability at 0.52% probability of exploitation, placing it in the 66.1st percentile of all vulnerabilities—indicating a moderate likelihood of exploitation attempts.

Root Cause

The root cause of this vulnerability is improper input validation and sanitization (CWE-74, CWE-77) in the parameterdel_swifimac function. User-supplied input through the del_swifimac argument is passed directly to system shell functions without adequate escaping or validation, allowing command separators and shell metacharacters to be interpreted as executable commands.

This type of injection vulnerability is common in embedded devices where CGI scripts directly construct shell commands using user input. The firmware fails to implement proper input sanitization measures, treating the MAC address parameter as trusted input when it should be strictly validated against expected formats.

Attack Vector

The attack can be carried out remotely over the network (AV:N) with low attack complexity (AC:L). The attacker requires low-level privileges (PR:L), meaning authentication to the device's web interface is necessary, but no user interaction (UI:N) is required. An attacker can craft malicious HTTP requests to the /send_order.cgi endpoint, injecting shell commands through the del_swifimac parameter. These commands execute with the privileges of the web server process, typically root on embedded devices.

The exploitation technique involves appending shell metacharacters and commands to the expected MAC address input. For detailed technical information and proof-of-concept details, refer to the external references at VulDB (https://vuldb.com/?id.333808) and the associated security reports.

Detection Methods for CVE-2025-13797

Indicators of Compromise

• Unusual HTTP requests to /send_order.cgi containing shell metacharacters such as ;, |, &&, or backticks in the del_swifimac parameter
• Unexpected outbound connections from the router to external IP addresses
• Modified configuration files or unauthorized user accounts on the device
• Anomalous process execution or network traffic patterns originating from the router

Detection Strategies

Network-based detection should focus on monitoring HTTP traffic to the router's management interface for suspicious patterns in POST or GET requests to /send_order.cgi. Intrusion detection systems can be configured with signatures that identify command injection attempts in the del_swifimac parameter, looking for shell metacharacters, base64-encoded commands, or common injection payloads.

SentinelOne Singularity provides comprehensive IoT and network device protection through its network discovery and traffic analysis capabilities. The platform can identify anomalous behavior patterns from compromised network devices, including unusual command execution, unauthorized network connections, and data exfiltration attempts.

Monitoring Recommendations

Implement continuous monitoring of all management interface access to ADSLR B-QE2W401 devices. Enable detailed logging of HTTP requests where possible and forward logs to a centralized SIEM solution for correlation and analysis. Network segmentation should be implemented to isolate IoT and network infrastructure devices from critical assets. Deploy network traffic analysis tools to detect command-and-control communications or lateral movement attempts originating from potentially compromised routers.

How to Mitigate CVE-2025-13797

Immediate Actions Required

• Restrict access to the router's web management interface to trusted IP addresses only using firewall rules
• Disable remote management access if not strictly required
• Implement network segmentation to isolate affected devices from critical network resources
• Monitor affected devices for signs of compromise until a patch becomes available
• Consider replacing affected devices with alternatives from vendors with active security response programs

Patch Information

As of the last update on December 11, 2025, no official patch has been released by ADSLR. The vendor was contacted during the disclosure process but did not respond. Affected organizations should monitor VulDB (https://vuldb.com/?id.333808) and vendor communications for any future patch announcements. Given the vendor's lack of response, a permanent fix may not be forthcoming, making device replacement a consideration for security-conscious organizations.

Workarounds

In the absence of an official patch, implement network-level controls to mitigate exploitation risk:

# Example iptables rules to restrict management interface access
# Allow management access only from trusted admin workstation
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

# Block external access to the router's web interface
iptables -A INPUT -p tcp --dport 80 -i eth0 -j DROP

Additionally, if the router supports access control lists (ACLs), configure them to restrict web management access to specific trusted hosts. Implement a reverse proxy or web application firewall (WAF) in front of the management interface if continued remote access is essential, with rules to filter command injection patterns in the del_swifimac parameter.