CVE-2025-13798
Published: 01 December 2025
Summary
CVE-2025-13798 is a low-severity Injection (CWE-74) vulnerability in Adslr B-Qe2W401 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A flaw has been identified in the ADSLR NBR1005GPEV2 firmware version 250814-r037c, specifically in the ap_macfilter_add function within the /send_order.cgi endpoint. The issue stems from improper handling of the mac argument, enabling command injection as classified under CWE-74 and CWE-77. The vulnerability is remotely reachable and carries a CVSS 4.0 score of 2.1, reflecting limited impact on confidentiality, integrity, and availability when exploited by an authenticated user.
An attacker with low privileges can supply a crafted mac parameter over the network to execute arbitrary commands on the device. Public exploit code has been released, lowering the barrier for potential misuse, though the vendor was notified prior to disclosure and provided no response or remediation.
The associated references consist of Vuldb entries and a Notion report documenting the finding, with no official patches or mitigation guidance available due to the lack of vendor engagement. The EPSS score rose from a low baseline to a peak of 0.0143 on 2025-12-11 before receding, indicating a temporary increase in exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199942
Vulnerability details
A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been…
more
published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in web CGI script (/send_order.cgi) on network device enables exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation and sanitization of the untrusted 'mac' argument in the ap_macfilter_add function of /send_order.cgi.
Mandates timely identification, reporting, and correction of the specific command injection flaw in ADSLR NBR1005GPEV2 firmware version 250814-r037c.
Enables vulnerability scanning to identify unpatched ADSLR NBR1005GPEV2 devices affected by this publicly exploited CVE.