Cyber Resilience

CVE-2025-1616

Medium

Published: 24 February 2025

Published
24 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 28.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1616 is a medium-severity Command Injection (CWE-77) vulnerability in Fiberhome An5506-01A Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1616 is a critical vulnerability in the FiberHome AN5506-01A ONU GPON RP2511 device, specifically affecting an unknown functionality within the Diagnosis component. The issue arises from OS command injection triggered by manipulating the Destination Address argument, classified under CWE-77 and CWE-78. It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-24.

The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H) on the affected device, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling arbitrary OS command execution through the injected Destination Address argument.

Advisories from VulDB indicate that the exploit has been publicly disclosed and is available for use, with references at https://vuldb.com/?ctiid.296606, https://vuldb.com/?id.296606, and https://vuldb.com/?submit.501483. The vendor was contacted early regarding the disclosure but provided no response, and no patches or specific mitigations are mentioned.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this issue is some unknown functionality of the component Diagnosis. The manipulation of the argument Destination Address leads to os command injection.…

more

The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection via the web Diagnosis 'Destination Address' parameter enables exploitation of public-facing application (T1190), indirect command execution through the diagnostic utility (T1202), and arbitrary command execution on the network device akin to CLI abuse (T1059.008).

CVEs Like This One

CVE-2025-8823Shared CWE-77, CWE-78
CVE-2025-14094Shared CWE-77, CWE-78
CVE-2025-10442Shared CWE-77, CWE-78
CVE-2025-1609Shared CWE-77, CWE-78
CVE-2025-2095Shared CWE-77, CWE-78
CVE-2025-8827Shared CWE-77, CWE-78
CVE-2025-10358Shared CWE-77, CWE-78
CVE-2025-9752Shared CWE-77, CWE-78
CVE-2026-5994Shared CWE-77, CWE-78
CVE-2025-0528Shared CWE-77, CWE-78

Affected Assets

fiberhome
an5506-01a firmware
rp2511

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation of untrusted inputs like the Destination Address argument in the Diagnosis component.

prevent

Ensures timely remediation of the known command injection flaw through patching or compensatory controls despite vendor non-response.

prevent

Limits exploitation impact by enforcing least privilege, reducing the number of high-privilege (PR:H) accounts able to trigger the Diagnosis component vulnerability.

References