Command Injection Vulnerability in Quantenna Wi-Fi Chipset
CVE-2025-32455

7.7HIGH

Key Information:

Vendor: On Semiconductor
Status: Quantenna Wi-fi Chipset
Vendor: CVE Published:; 8 June 2025

🔔 Create On Semiconductor Vulnerability Alert

What is CVE-2025-32455?

The Quantenna Wi-Fi chipset includes a local control script known as router_command.sh that is susceptible to command injection attacks due to improper handling of argument delimiters. This vulnerability, categorized under CWE-88, can allow unauthorized individuals to execute arbitrary commands on the affected devices. As of now, version 8.0.0.28 of the chipset's SDK is known to be vulnerable. While a best practices guide has been released to help implementors mitigate this issue, the vulnerability remains unpatched, posing a significant risk to network security.

Affected Version(s)

Quantenna Wi-Fi chipset 0 <= 8.0.0.28

References

https://takeonme.org/cves/cve-2025-3460

third-party-advisory

https://community.onsemi.com/s/article/QCS-Quantenna-Wi-F...

vendor-advisory

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2025
Vulnerability Reserved
Apr 8, 2025

Credit

Ricky "HeadlessZeke" Lawshae of Keysight

todb