CVE-2025-13800
Published: 01 December 2025
Summary
CVE-2025-13800 is a low-severity Injection (CWE-74) vulnerability in Adslr B-Qe2W401 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a command injection flaw in the ADSLR NBR1005GPEV2 firmware version 250814-r037c. It resides in the set_mesh_disconnect function of the /send_order.cgi endpoint, where unsanitized input to the mac argument is passed to an operating system command. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 2.1.
An authenticated remote attacker can supply a crafted mac value to execute arbitrary commands on the device. Because the attack requires only low privileges and no user interaction, an adversary who has obtained valid credentials or who already controls a low-privileged account can achieve limited code execution, data modification, or service disruption on the affected router.
Public references on Vuldb document the disclosure timeline and note that the vendor was contacted prior to publication but provided no response or patch. No official mitigation guidance or firmware update has been issued.
The exploit code has been released publicly. The associated EPSS score rose from a baseline near 0.0027 to a peak of 0.0141 on 11 December 2025 before receding, indicating a measurable but short-lived increase in exploitation interest after the CVE became public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199945
Vulnerability details
A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been…
more
made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability (CWE-77) in the web CGI script (/send_order.cgi) enables remote exploitation of a public-facing application (T1190), leading to arbitrary Unix shell command execution (T1059.004) via indirect command execution (T1202).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation and error handling at interfaces, directly preventing command injection via the unvalidated 'mac' argument in /send_order.cgi.
SI-2 requires timely flaw remediation, addressing the unpatched command injection vulnerability in the ADSLR NBR1005GPEV2 firmware.
AC-6 enforces least privilege, limiting low-privilege (PR:L) access to the vulnerable set_mesh_disconnect function and reducing exploitation potential.