Command Injection Vulnerability in EFM ipTIME A3004T Router
CVE-2025-14485

2.3LOW

Key Information:

Vendor

Efm

Status
Iptime A3004t
Vendor
CVE Published:
11 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-14485?

A command injection vulnerability exists in the EFM ipTIME A3004T router, specifically affecting the show_debug_screen function located in the /sess-bin/timepro.cgi file within the Administrator Password Handler component. Input manipulation via the argument 'aaksjdkfj' using unexpected characters can allow an attacker to execute arbitrary commands on the router. This vulnerability can be exploited remotely, meaning attackers do not need physical access to the device. The complexity of executing this attack is high, and public exploit details have been disclosed, yet the vendor has not responded to prior notifications regarding this issue.

Affected Version(s)

ipTIME A3004T 14.19.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14485 - Proof of Concept

References

https://vuldb.com/?id.335768
vdb-entrytechnical-description
https://vuldb.com/?ctiid.335768
signaturepermissions-required
https://vuldb.com/?submit.702655
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

niix330 (VulDB User)
JSON
.
CVE-2025-14485 : Command Injection Vulnerability in EFM ipTIME A3004T Router