CVE-2025-13799 Overview
A command injection vulnerability has been identified in ADSLR NBR1005GPEV2 firmware version 250814-r037c. This vulnerability affects the ap_macfilter_del function within the /send_order.cgi file, where improper handling of the mac argument allows attackers to inject and execute arbitrary system commands. The vulnerability is remotely exploitable, making it particularly concerning for network-attached devices.
Critical Impact
Remote attackers can exploit improper input validation in the MAC filter deletion function to execute arbitrary commands on the affected network device, potentially gaining unauthorized access to the network infrastructure.
Affected Products
- ADSLR B-QE2W401 Firmware
- ADSLR B-QE2W401 Hardware Device
- ADSLR NBR1005GPEV2 (Firmware version 250814-r037c)
Discovery Timeline
- 2025-12-01 - CVE-2025-13799 published to NVD
- 2025-12-11 - Last updated in NVD database
Technical Details for CVE-2025-13799
Vulnerability Analysis
This vulnerability is classified under CWE-77 (Command Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The flaw resides in the ap_macfilter_del function, which is responsible for removing MAC addresses from the device's filtering list. When processing the mac parameter, the function fails to properly sanitize user-supplied input before passing it to system command execution routines.
The attack can be initiated remotely over the network, requiring only low-privilege authentication. No user interaction is necessary for exploitation. The vulnerability has been publicly disclosed, and exploit details have been made available, increasing the risk of active exploitation attempts against unpatched devices.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization within the ap_macfilter_del function. The mac parameter, intended to receive MAC address strings, is processed without proper escaping or validation of special characters. This allows an attacker to append shell metacharacters and arbitrary commands to the expected MAC address input, which are then executed by the underlying system shell.
The vendor, ADSLR, was contacted about this security issue but did not respond to the disclosure, leaving users without an official patch or mitigation guidance.
Attack Vector
The attack vector is network-based, accessible through the /send_order.cgi endpoint. An authenticated attacker with low privileges can craft a malicious HTTP request containing shell metacharacters (such as ;, |, &&, or backticks) within the mac parameter. When the ap_macfilter_del function processes this input, the injected commands are executed with the privileges of the web server process, typically running as root on embedded devices.
A typical exploitation scenario would involve sending a specially crafted request to the vulnerable endpoint. The attacker would include command injection payloads within the MAC address field, allowing execution of arbitrary system commands. This could enable actions such as establishing reverse shells, modifying device configurations, or pivoting to other network resources.
For detailed technical information about this vulnerability, refer to the VulDB security advisory and the associated submission documentation.
Detection Methods for CVE-2025-13799
Indicators of Compromise
- Unusual HTTP requests to /send_order.cgi containing shell metacharacters (;, |, &&, `) in the mac parameter
- Unexpected outbound connections from the ADSLR device to external IP addresses
- Modified system configuration files or new user accounts on the device
- Anomalous process execution or shell activity originating from the web server process
Detection Strategies
- Implement network intrusion detection rules to monitor HTTP traffic to ADSLR devices for command injection patterns in the mac parameter
- Deploy web application firewall (WAF) rules to block requests containing shell metacharacters to the /send_order.cgi endpoint
- Enable and review web server access logs on ADSLR devices for suspicious request patterns
- Monitor network traffic from ADSLR devices for unexpected outbound connections or data exfiltration attempts
Monitoring Recommendations
- Configure SIEM alerts for HTTP requests to ADSLR management interfaces containing injection payloads
- Establish baseline network behavior for ADSLR devices and alert on deviations
- Implement egress filtering to restrict outbound connections from network devices
- Regularly audit device configurations and compare against known-good baselines
How to Mitigate CVE-2025-13799
Immediate Actions Required
- Restrict network access to the ADSLR device management interface using firewall rules or network segmentation
- Implement strong authentication controls and limit administrative access to trusted IP addresses only
- Consider temporarily disabling web-based management if not operationally required
- Deploy network-based intrusion prevention systems (IPS) with signatures for command injection attacks
Patch Information
As of the last update, ADSLR has not released a security patch for this vulnerability. The vendor was contacted during the responsible disclosure process but did not respond. Users should monitor VulDB entry #333810 and vendor communications for any future patch announcements. Given the lack of vendor response, organizations should prioritize implementing compensating controls and consider device replacement with actively supported alternatives.
Workarounds
- Place ADSLR devices behind a dedicated management VLAN with strict access controls
- Use a reverse proxy with input validation to filter malicious requests before they reach the device
- Disable the MAC filter functionality if not operationally required to reduce attack surface
- Implement host-based firewall rules on the device (if supported) to limit access to the web interface
# Example: Network segmentation using iptables to restrict access to management interface
# Allow only trusted management subnet
iptables -A INPUT -s 192.168.10.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 192.168.10.0/24 -p tcp --dport 443 -j ACCEPT
# Drop all other access to web management ports
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
