Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67113

CVE-2025-67113: Sercomm SCE4255W CWMP Client RCE Flaw

CVE-2025-67113 is an OS command injection flaw in the CWMP client of Sercomm SCE4255W that allows attackers controlling the ACS endpoint to execute arbitrary commands as root. This article covers technical details, impact, and fixes.

Updated:

CVE-2025-67113 Overview

CVE-2025-67113 is an operating system command injection vulnerability in the CWMP (CPE WAN Management Protocol) client /ftl/bin/cwmp of the Small Cell Sercomm SCE4255W (FreedomFi Englewood) device. Firmware versions prior to DG3934v3@2308041842 pass a TR-069 Download URL unescaped into the firmware upgrade pipeline. A remote attacker controlling the Auto Configuration Server (ACS) endpoint can inject shell metacharacters and execute arbitrary commands as root. The flaw is tracked under [CWE-94] (Improper Control of Generation of Code).

Critical Impact

Remote attackers controlling the ACS endpoint achieve unauthenticated root code execution on affected small cell devices, enabling full device takeover and lateral movement into mobile network infrastructure.

Affected Products

  • Sercomm SCE4255W (FreedomFi Englewood) small cell firmware before DG3934v3@2308041842
  • CWMP client binary /ftl/bin/cwmp shipped with affected firmware
  • FreedomFi Englewood deployments relying on TR-069 ACS provisioning

Discovery Timeline

  • 2026-03-19 - CVE-2025-67113 published to NVD
  • 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2025-67113

Vulnerability Analysis

The CWMP client implements the TR-069 protocol used by service providers to remotely manage customer premises equipment. When the ACS sends a Download Remote Procedure Call (RPC) instructing the device to fetch a firmware image, the cwmp binary extracts the supplied URL and forwards it to the firmware upgrade pipeline. The URL string is concatenated into a shell command without escaping, sanitization, or argument-array execution.

An attacker who controls or impersonates the ACS endpoint can supply a URL containing shell metacharacters such as backticks, $(), or ;. The injected payload executes as root because the upgrade pipeline runs with full privileges to write firmware partitions. No authentication beyond the existing ACS session is required, and no user interaction occurs on the device.

Root Cause

The root cause is unsafe construction of shell command strings from attacker-controllable input. The Download URL value, received over the TR-069 SOAP channel, is interpolated directly into a system shell invocation rather than being passed as a discrete argument to execve or validated against a strict URL grammar.

Attack Vector

Exploitation requires control of the ACS endpoint that the device contacts, either through a compromised carrier ACS, a man-in-the-middle position on the TR-069 transport, or DNS or routing manipulation that redirects the device to an attacker-operated server. Once the device establishes a CWMP session, the attacker issues a Download RPC with a crafted URL containing the command injection payload. The CWMP client processes the RPC and the injected commands execute as root during the upgrade routine.

No verified proof-of-concept code is publicly available. See the Nero Team Blog on FreedomFi for the technical writeup of the discovery.

Detection Methods for CVE-2025-67113

Indicators of Compromise

  • TR-069 Download RPC requests containing shell metacharacters (;, |, `, $(), &&) inside the URL element
  • Outbound connections from small cell devices to ACS hosts not operated by the legitimate carrier
  • Unexpected child processes spawned by /ftl/bin/cwmp such as sh, wget, curl, nc, or busybox utilities outside the normal upgrade flow
  • New cron entries, modified /etc/ configuration files, or unfamiliar listening sockets on the device

Detection Strategies

  • Inspect TR-069 SOAP traffic at the carrier or aggregation tier for Download RPC URLs that fail strict URL grammar validation
  • Correlate firmware upgrade events with the actual firmware build timestamp to identify unsolicited upgrades
  • Baseline expected ACS FQDNs and alert on DNS resolutions or TCP sessions from small cells to unknown destinations

Monitoring Recommendations

  • Log all CWMP session establishment, RPC method names, and source ACS identities for retention and review
  • Monitor egress from the small cell management VLAN for connections to non-approved hosts on ports 7547, 80, and 443
  • Alert on any process execution telemetry from devices showing shell spawns originating from the cwmp binary

How to Mitigate CVE-2025-67113

Immediate Actions Required

  • Upgrade affected Sercomm SCE4255W devices to firmware DG3934v3@2308041842 or later through the trusted carrier provisioning channel
  • Restrict device WAN-side reachability to only the legitimate ACS IP ranges using upstream access control lists
  • Enforce TLS with certificate pinning for all CWMP sessions to prevent ACS impersonation
  • Audit deployed small cells for unauthorized firmware images or persistence artifacts before applying the patch

Patch Information

The vendor fix is delivered in firmware build DG3934v3@2308041842 and later. Operators of FreedomFi Englewood deployments should coordinate with the carrier or device owner to confirm the running build string and schedule the upgrade. Refer to the FCC Report for SCE4255W for device identification details and the FreedomFi Home Page for vendor coordination.

Workarounds

  • Place small cells behind a network segment that allows outbound CWMP only to a hardened, authenticated ACS
  • Terminate TR-069 sessions at a reverse proxy that validates the Download URL against a strict allowlist before forwarding to the device
  • Disable remote firmware download functionality on the ACS where operationally feasible until patched firmware is deployed
bash
# Configuration example: upstream firewall rule restricting CWMP egress
# Replace ACS_IP with the legitimate Auto Configuration Server address
iptables -A FORWARD -s <smallcell_subnet> -p tcp --dport 7547 -d <ACS_IP> -j ACCEPT
iptables -A FORWARD -s <smallcell_subnet> -p tcp --dport 7547 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.