CVE-2025-3499

{"id": "CVE-2025-3499", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2025-07-09T09:15:27.297", "references": [{"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3499", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The device has two web servers that expose unauthenticated REST APIs on the management network (TCP\nports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary\ncommands that are executed with administrative permissions by the underlying operating system."}, {"lang": "es", "value": "El dispositivo cuenta con dos servidores web que exponen API REST no autenticadas en la red de administraci\u00f3n (puertos TCP 8084 y 8086). Al aprovechar la inyecci\u00f3n de comandos del sistema operativo a trav\u00e9s de estas API, un atacante puede enviar comandos arbitrarios que el sistema operativo subyacente ejecuta con permisos administrativos."}], "lastModified": "2025-07-10T13:17:30.017", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}