CVE-2025-67113 Overview
CVE-2025-67113 is an operating system command injection vulnerability in the CWMP (CPE WAN Management Protocol) client /ftl/bin/cwmp of the Small Cell Sercomm SCE4255W (FreedomFi Englewood) device. Firmware versions prior to DG3934v3@2308041842 pass a TR-069 Download URL unescaped into the firmware upgrade pipeline. A remote attacker controlling the Auto Configuration Server (ACS) endpoint can inject shell metacharacters and execute arbitrary commands as root. The flaw is tracked under [CWE-94] (Improper Control of Generation of Code).
Critical Impact
Remote attackers controlling the ACS endpoint achieve unauthenticated root code execution on affected small cell devices, enabling full device takeover and lateral movement into mobile network infrastructure.
Affected Products
- Sercomm SCE4255W (FreedomFi Englewood) small cell firmware before DG3934v3@2308041842
- CWMP client binary /ftl/bin/cwmp shipped with affected firmware
- FreedomFi Englewood deployments relying on TR-069 ACS provisioning
Discovery Timeline
- 2026-03-19 - CVE-2025-67113 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2025-67113
Vulnerability Analysis
The CWMP client implements the TR-069 protocol used by service providers to remotely manage customer premises equipment. When the ACS sends a Download Remote Procedure Call (RPC) instructing the device to fetch a firmware image, the cwmp binary extracts the supplied URL and forwards it to the firmware upgrade pipeline. The URL string is concatenated into a shell command without escaping, sanitization, or argument-array execution.
An attacker who controls or impersonates the ACS endpoint can supply a URL containing shell metacharacters such as backticks, $(), or ;. The injected payload executes as root because the upgrade pipeline runs with full privileges to write firmware partitions. No authentication beyond the existing ACS session is required, and no user interaction occurs on the device.
Root Cause
The root cause is unsafe construction of shell command strings from attacker-controllable input. The Download URL value, received over the TR-069 SOAP channel, is interpolated directly into a system shell invocation rather than being passed as a discrete argument to execve or validated against a strict URL grammar.
Attack Vector
Exploitation requires control of the ACS endpoint that the device contacts, either through a compromised carrier ACS, a man-in-the-middle position on the TR-069 transport, or DNS or routing manipulation that redirects the device to an attacker-operated server. Once the device establishes a CWMP session, the attacker issues a Download RPC with a crafted URL containing the command injection payload. The CWMP client processes the RPC and the injected commands execute as root during the upgrade routine.
No verified proof-of-concept code is publicly available. See the Nero Team Blog on FreedomFi for the technical writeup of the discovery.
Detection Methods for CVE-2025-67113
Indicators of Compromise
- TR-069 Download RPC requests containing shell metacharacters (;, |, `, $(), &&) inside the URL element
- Outbound connections from small cell devices to ACS hosts not operated by the legitimate carrier
- Unexpected child processes spawned by /ftl/bin/cwmp such as sh, wget, curl, nc, or busybox utilities outside the normal upgrade flow
- New cron entries, modified /etc/ configuration files, or unfamiliar listening sockets on the device
Detection Strategies
- Inspect TR-069 SOAP traffic at the carrier or aggregation tier for Download RPC URLs that fail strict URL grammar validation
- Correlate firmware upgrade events with the actual firmware build timestamp to identify unsolicited upgrades
- Baseline expected ACS FQDNs and alert on DNS resolutions or TCP sessions from small cells to unknown destinations
Monitoring Recommendations
- Log all CWMP session establishment, RPC method names, and source ACS identities for retention and review
- Monitor egress from the small cell management VLAN for connections to non-approved hosts on ports 7547, 80, and 443
- Alert on any process execution telemetry from devices showing shell spawns originating from the cwmp binary
How to Mitigate CVE-2025-67113
Immediate Actions Required
- Upgrade affected Sercomm SCE4255W devices to firmware DG3934v3@2308041842 or later through the trusted carrier provisioning channel
- Restrict device WAN-side reachability to only the legitimate ACS IP ranges using upstream access control lists
- Enforce TLS with certificate pinning for all CWMP sessions to prevent ACS impersonation
- Audit deployed small cells for unauthorized firmware images or persistence artifacts before applying the patch
Patch Information
The vendor fix is delivered in firmware build DG3934v3@2308041842 and later. Operators of FreedomFi Englewood deployments should coordinate with the carrier or device owner to confirm the running build string and schedule the upgrade. Refer to the FCC Report for SCE4255W for device identification details and the FreedomFi Home Page for vendor coordination.
Workarounds
- Place small cells behind a network segment that allows outbound CWMP only to a hardened, authenticated ACS
- Terminate TR-069 sessions at a reverse proxy that validates the Download URL against a strict allowlist before forwarding to the device
- Disable remote firmware download functionality on the ACS where operationally feasible until patched firmware is deployed
# Configuration example: upstream firewall rule restricting CWMP egress
# Replace ACS_IP with the legitimate Auto Configuration Server address
iptables -A FORWARD -s <smallcell_subnet> -p tcp --dport 7547 -d <ACS_IP> -j ACCEPT
iptables -A FORWARD -s <smallcell_subnet> -p tcp --dport 7547 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

