CVE-2020-25859

Name of the Vulnerable Software and Affected Versions Qualcomm QCMAP software suite versions prior to October 2020

Description The QCMAP CLI utility in the Qualcomm QCMAP software suite has an issue where it uses a system() call without validating the input when handling a SetGatewayUrl() request. This allows a local attacker with shell access to pass shell metacharacters and run arbitrary commands. If QCMAP CLI can be run via sudo or setuid, this also enables elevating privileges to root. The affected software is used in various networking devices, including mobile hotspots and LTE routers.

Recommendations For versions prior to October 2020, consider restricting access to the QCMAP CLI utility to prevent local attackers from exploiting this issue, and avoid running QCMAP CLI via sudo or setuid to minimize the risk of privilege elevation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.