none

Netcomm Vulnerability, Remote Code Execution

A newly disclosed vulnerability affecting Netcomm Wireless devices—now under Lantronix ownership—has been assigned CVE-2025-4010, and it poses a serious security risk to industrial and telecommunications networks. Discovered by the ONEKEY Research Lab, the vulnerability allows remote unauthenticated code execution on vulnerable devices, impacting models widely deployed by telecom providers like Vodafone.

“This is the second installment of our command injection series affecting CGI shell scripts,” ONEKEY noted in its report, “specifically the NWL-222 also known as the ‘MachineLink 4G Lite’ sold by Vodafone.”

The vulnerability lies in several CGI scripts (e.g., ssh.cgi, sms.cgi, eth.cgi) located in /www/cgi-bin/, which parse parameters from the $QUERY_STRING environment variable using insecure shell operations. The scripts attempt to convert query string input into shell variables using eval—a critical mistake when handling untrusted input.

“Feeding untrusted input to eval means arbitrary command injection,” the researchers warned. A single cURL command can trigger this flaw:

curl -X POST -u admin:admin 'http://ip.of.device/cgi-bin/ssh.cgi?cmd=;$(id>a)'

Attackers exploiting this vulnerability can execute arbitrary shell commands as root, with no user interaction required. This makes CVE-2025-4010 (CVSSv4 8.6) particularly dangerous in exposed network environments.

Many affected devices still ship with hardcoded credentials, including usernames like admin and passwords like admin, root:admin, and root:bovine.

“Both firmware have default accounts with hardcoded credentials,” ONEKEY wrote, “which helps exploitation if credentials haven’t been changed.”

The affected devices and firmware includes:

NWL-222 (“MachineLink 4G Lite”) – Versions prior to 2.1.21.1
NTC-6200 – All versions (declared End-of-Life)

While Lantronix has released firmware 2.1.21.1 claiming to fix the vulnerability, ONEKEY disputes the efficacy of the patch:

“ONEKEY indicates that the fix is insufficient and can be bypassed,” the disclosure notes. “Lantronix shares [our] test result and message with the software team.”

ONEKEY adhered to a 90-day disclosure policy for actively supported devices and 30 days for End-of-Life hardware. Despite ongoing communication with Lantronix, no effective patch was confirmed by the June 2, 2025 deadline, prompting public disclosure.

For NWL-222 users, upgrade to firmware version 2.1.21.1, but remain cautious and test independently, as the patch may not fully remediate the issue.

For NTC-6200 and other EoL devices, immediately change default credentials and restrict network exposure via firewalls or segmentation.

Related Posts: