CVE-2025-43989

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLIC version 3.4.2731.16.43

Description: The /goform/formJsonAjaxReq POST endpoint mishandles the set timesetting action with the ntpserver0 parameter, allowing for arbitrary OS command execution. An unauthenticated attacker can bypass session checks by setting a username=admin cookie and utilizing the ntpserver0 parameter to execute commands.

Recommendations: Versions prior to 3.4.2731.16.43 should be updated. As a temporary workaround, restrict access to the /goform/formJsonAjaxReq endpoint. Avoid using the ntpserver0 parameter in the set timesetting action until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2025-43989

Affected Products

Rg500Ueaabxcomslic

Tuoshi Nr500-Ea

CVE-2025-43989

Weakness Enumeration

Related Identifiers

Affected Products

References · 9