Command Injection Vulnerability in Microhard BulletLTE-NA2 and IPn4Gii-NA2 Devices
CVE-2025-35006

7.1HIGH

Key Information:

Vendor

Microhard

Status
Ipn4gii / Bullet-lte Firmware
Vendor
CVE Published:
8 June 2025

What is CVE-2025-35006?

Microhard's BulletLTE-NA2 and IPn4Gii-NA2 devices are susceptible to a post-authentication command injection vulnerability associated with the AT+MFPORTFWD command. This issue manifests due to improper neutralization of argument delimiters, allowing attackers to execute arbitrary commands that could lead to privilege escalation. Users are advised to review their devices and implement necessary security measures, as this flaw has not been resolved in the initial disclosures.

Affected Version(s)

IPn4Gii / Bullet-LTE Firmware 0

References

https://takeonme.org/cves/cve-2025-35006/
third-party-advisory
https://www.microhardcorp.com/BulletLTE-NA2.php
product
https://www.microhardcorp.com/IPn4Gii-NA2.php
product

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ricky "HeadlessZeke" Lawshae of Keysight
todb
.
CVE-2025-35006 : Command Injection Vulnerability in Microhard BulletLTE-NA2 and IPn4Gii-NA2 Devices