The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67113

CVE-2025-67113: Sercomm SCE4255W CWMP Client RCE Flaw

CVE-2025-67113 is a remote code execution vulnerability in the CWMP client of Sercomm SCE4255W firmware that enables attackers to execute commands as root. This article covers technical details, affected versions, and mitigation.

Published: March 20, 2026

CVE-2025-67113 Overview

A critical OS command injection vulnerability exists in the CWMP client (/ftl/bin/cwmp) of the Sercomm SCE4255W Small Cell, also known as the FreedomFi Englewood device. This firmware vulnerability, present in versions before DG3934v3@2308041842, allows remote attackers who control the Auto Configuration Server (ACS) endpoint to execute arbitrary commands with root privileges. The attack is facilitated through a crafted TR-069 Download URL that is passed unescaped into the firmware upgrade pipeline, enabling full system compromise.

Critical Impact

Remote attackers controlling the ACS endpoint can achieve root-level command execution on affected Small Cell devices, potentially compromising cellular network infrastructure and enabling persistent unauthorized access.

Affected Products

  • Sercomm SCE4255W (FreedomFi Englewood) firmware versions before DG3934v3@2308041842
  • Small Cell devices utilizing the vulnerable CWMP client implementation
  • TR-069 enabled network equipment with unpatched firmware

Discovery Timeline

  • 2026-03-19 - CVE-2025-67113 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2025-67113

Vulnerability Analysis

This command injection vulnerability targets the CPE WAN Management Protocol (CWMP) client, a TR-069 implementation responsible for remote device management and firmware updates. The flaw resides in how the CWMP client processes Download URLs received from the ACS during firmware upgrade operations.

When the device receives a TR-069 Download request, the URL parameter is incorporated into the firmware upgrade pipeline without proper sanitization or escaping. This architectural weakness allows an attacker with control over the ACS endpoint to inject shell metacharacters and arbitrary commands into the download URL, which are then executed by the system with root privileges.

The vulnerability is particularly severe in telecommunications infrastructure contexts, as Small Cell devices like the SCE4255W serve as critical components in cellular network deployments. Successful exploitation grants attackers complete control over the device, potentially enabling network traffic interception, persistent backdoor installation, or pivot attacks against connected infrastructure.

Root Cause

The root cause of this vulnerability is the failure to sanitize or properly escape user-controlled input before passing it to shell execution contexts. Specifically, the CWMP client at /ftl/bin/cwmp directly incorporates the TR-069 Download URL parameter into command-line operations within the firmware upgrade pipeline without validating or sanitizing the input for shell metacharacters. This represents a classic command injection pattern where untrusted data flows directly into a privileged execution context.

Attack Vector

The attack vector requires the adversary to control or compromise the ACS endpoint that the vulnerable device communicates with for TR-069 management operations. This could be achieved through:

  1. Compromising the legitimate ACS server used by the target device
  2. Man-in-the-middle attacks to intercept and modify TR-069 communications
  3. DNS hijacking to redirect the device's ACS communications to an attacker-controlled server
  4. Rogue ACS deployment in environments where device ACS configuration can be manipulated

Once positioned as the ACS, the attacker initiates a TR-069 Download operation with a malicious URL containing embedded shell commands. These commands are passed unescaped through the firmware upgrade process and executed with root privileges on the target device.

The exploitation mechanism involves crafting a Download URL that includes shell metacharacters (such as semicolons, backticks, or command substitution syntax) followed by malicious commands. When the CWMP client processes this URL, the injected commands are executed in the context of the firmware upgrade operation. For detailed technical analysis, refer to the Nero Team Blog on FreedomFi.

Detection Methods for CVE-2025-67113

Indicators of Compromise

  • Unusual outbound network connections from Small Cell devices to unknown external hosts
  • Unexpected processes running with root privileges on the device
  • Modified system files or the presence of unauthorized scripts in firmware directories
  • Anomalous TR-069 Download requests containing shell metacharacters or unusual URL patterns
  • Evidence of command execution artifacts in system logs related to the CWMP client

Detection Strategies

  • Monitor TR-069 communications for Download URLs containing shell metacharacters such as ;, |, $(), or backticks
  • Implement network-level inspection of CWMP traffic between devices and ACS endpoints
  • Deploy integrity monitoring on Small Cell device firmware and configuration files
  • Establish baseline behavior profiles for CWMP client processes and alert on deviations
  • Review ACS server logs for suspicious Download request patterns

Monitoring Recommendations

  • Enable comprehensive logging on ACS servers and correlate with device-side events
  • Implement TLS certificate validation for all TR-069 communications to prevent MITM attacks
  • Deploy network segmentation to isolate Small Cell management traffic from general network access
  • Utilize SentinelOne Singularity platform for endpoint visibility and behavioral analysis on network infrastructure where applicable

How to Mitigate CVE-2025-67113

Immediate Actions Required

  • Upgrade affected Sercomm SCE4255W devices to firmware version DG3934v3@2308041842 or later immediately
  • Audit and verify the integrity of ACS server configurations and access controls
  • Implement strict network access controls limiting which endpoints can communicate with device management interfaces
  • Review device logs for evidence of prior exploitation attempts
  • Consider temporarily disabling TR-069 functionality if firmware updates cannot be immediately applied

Patch Information

The vulnerability is resolved in firmware version DG3934v3@2308041842 and later releases. Organizations should coordinate with Sercomm or FreedomFi for firmware acquisition and deployment guidance. Additional technical details and device specifications can be found in the FCC Device Report. For product information, visit the FreedomFi Homepage.

Workarounds

  • Restrict network access to the TR-069 management interface using firewall rules or network segmentation
  • Implement mutual TLS authentication between devices and ACS endpoints where supported
  • Deploy network-level monitoring to detect and block suspicious TR-069 traffic patterns
  • If TR-069 functionality is not required, disable the CWMP client on affected devices
  • Implement egress filtering to prevent compromised devices from establishing connections to attacker infrastructure
bash
# Example network segmentation configuration (iptables)
# Restrict TR-069 traffic to authorized ACS server only
iptables -A OUTPUT -p tcp --dport 7547 -d <authorized_acs_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 7547 -j DROP
iptables -A INPUT -p tcp --sport 7547 -s <authorized_acs_ip> -j ACCEPT
iptables -A INPUT -p tcp --sport 7547 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechSercomm
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • FCC Device Report
  • FreedomFi Homepage
  • Nero Team Blog on FreedomFi
  • Related CVEs
  • CVE-2025-67115: Sercomm SCE4255W Path Traversal Flaw
  • CVE-2025-67114: Sercomm SCE4255W Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English