CVE-2025-13798 Overview
A command injection vulnerability has been identified in ADSLR NBR1005GPEV2 firmware version 250814-r037c. This security flaw affects the ap_macfilter_add function within the /send_order.cgi file. By manipulating the mac argument, an attacker can inject and execute arbitrary commands on the affected device. The attack can be performed remotely over the network, making this a significant security concern for organizations using affected ADSLR networking equipment.
The vulnerability has been publicly disclosed with exploit details available, and notably, the vendor was contacted about this issue but did not respond.
Critical Impact
Remote attackers with low-level privileges can execute arbitrary commands on vulnerable ADSLR routers by exploiting improper input validation in the MAC address filtering functionality, potentially leading to complete device compromise.
Affected Products
- ADSLR B-QE2W401 Firmware
- ADSLR B-QE2W401 Hardware
- ADSLR NBR1005GPEV2 (firmware version 250814-r037c)
Discovery Timeline
- 2025-12-01 - CVE-2025-13798 published to NVD
- 2025-12-11 - Last updated in NVD database
Technical Details for CVE-2025-13798
Vulnerability Analysis
CVE-2025-13798 is classified as a command injection vulnerability (CWE-77) with broader implications of injection attacks (CWE-74). The vulnerability exists in the ap_macfilter_add function, which processes user-supplied MAC address input through the /send_order.cgi endpoint.
The CVSS 4.0 score is 5.3 (Medium) with the following attack characteristics:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None required
The EPSS (Exploit Prediction Scoring System) indicates a 0.52% probability of exploitation in the wild, placing this vulnerability at the 66th percentile compared to other vulnerabilities.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and sanitization of the mac parameter in the MAC address filtering functionality. When user-supplied data is passed to the ap_macfilter_add function, the input is not properly sanitized before being processed by shell commands or system calls, allowing attackers to inject malicious command sequences.
This is a common vulnerability pattern in embedded network devices where input handling routines fail to escape or validate special characters that have meaning in command interpreters.
Attack Vector
The attack vector for CVE-2025-13798 involves sending specially crafted HTTP requests to the /send_order.cgi endpoint on vulnerable ADSLR devices. An authenticated attacker with low-level privileges can manipulate the mac parameter to include shell metacharacters and command sequences.
The vulnerability manifests when the mac parameter value is passed to system functions without proper sanitization. By including command separators (such as ;, |, or &&) followed by malicious commands, an attacker can execute arbitrary code on the underlying operating system with the privileges of the web server process.
Since the attack can be performed remotely over the network and requires only low-level authentication, compromised devices could be used as pivot points for further network intrusion, incorporated into botnets, or have their configurations maliciously modified.
Detection Methods for CVE-2025-13798
Indicators of Compromise
- Unusual HTTP requests to /send_order.cgi containing shell metacharacters in the mac parameter
- Unexpected outbound network connections from ADSLR devices
- Anomalous process execution or system commands on the router device
- Modified device configurations or unauthorized administrative accounts
- Unusual CPU or memory utilization on affected networking equipment
Detection Strategies
Organizations should implement the following detection strategies for CVE-2025-13798:
Web Application Firewall (WAF) Rules: Deploy rules to detect and block requests containing command injection patterns in MAC address fields, including shell metacharacters like ;, |, &&, backticks, and $()
Network Traffic Analysis: Monitor HTTP traffic to ADSLR devices for requests to /send_order.cgi with suspicious mac parameter values that don't conform to standard MAC address format (XX:XX:XX:XX:XX:XX)
Log Analysis: Review web server logs on affected devices for access patterns indicating exploitation attempts against the vulnerable endpoint
Behavioral Detection: SentinelOne Singularity platform can detect anomalous process execution and command injection attempts through behavioral AI analysis, providing protection even without specific signature updates
Monitoring Recommendations
- Enable verbose logging on ADSLR devices if available
- Implement network segmentation to isolate management interfaces of networking equipment
- Deploy intrusion detection/prevention systems with signatures for command injection attacks
- Monitor for unauthorized configuration changes on network devices
- Establish baseline behavior for device network communications and alert on deviations
How to Mitigate CVE-2025-13798
Immediate Actions Required
- Restrict network access to the device's web management interface to trusted IP addresses only
- Implement strong authentication and access controls for device administration
- Place affected devices behind a firewall and disable remote management if not required
- Monitor device logs for signs of exploitation attempts
- Consider replacing affected devices with supported alternatives if no patch becomes available
Patch Information
As of the last update on 2025-12-11, no official patch has been released by ADSLR. The vendor was contacted about this vulnerability but did not respond. Organizations should monitor vendor communications and security advisories for any future patch releases.
For technical details and vulnerability information, refer to:
Workarounds
Since no official patch is available, organizations should implement the following compensating controls:
Network Isolation: Restrict access to the management interface by placing the device on a separate VLAN and implementing strict firewall rules that only allow administrative access from specific trusted hosts.
Input Filtering: If a reverse proxy or WAF can be placed in front of the device, implement strict input validation rules that reject any mac parameter values that don't conform to valid MAC address formats or contain potentially dangerous characters.
Disable Unnecessary Services: If the MAC filtering functionality is not required, disable it if the device firmware allows, or avoid using the affected feature entirely.
Consider Device Replacement: Given the vendor's lack of response, organizations with critical security requirements should evaluate replacing affected ADSLR devices with alternatives from vendors with better security support and patch management practices.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
