CVE-2025-26389

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: OZW672 versions prior to V8.0 OZW772 versions prior to V8.0

Description: A vulnerability has been identified where the web service in affected devices does not sanitize the input parameters required for the exportDiagramPage endpoint. This could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

Recommendations: For OZW672 versions prior to V8.0, update to version V8.0 or later to resolve the issue. For OZW772 versions prior to V8.0, update to version V8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the exportDiagramPage endpoint until a patch is available.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2025-06523

CVE-2025-26389

Affected Products

Ozw672

Ozw772

CVE-2025-26389

Weakness Enumeration

Related Identifiers

Affected Products

References · 8