CVE-2025-1616

Medium

Published: 24 February 2025

Published

24 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.4th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1616 is a medium-severity Command Injection (CWE-77) vulnerability in Fiberhome An5506-01A Firmware. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation of untrusted inputs like the Destination Address argument in the Diagnosis component.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the known command injection flaw through patching or compensatory controls despite vendor non-response.

AC-6 Least Privilege partial match

prevent

Limits exploitation impact by enforcing least privilege, reducing the number of high-privilege (PR:H) accounts able to trigger the Diagnosis component vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

OS command injection via the web Diagnosis 'Destination Address' parameter enables exploitation of public-facing application (T1190), indirect command execution through the diagnostic utility (T1202), and arbitrary command execution on the network device akin to CLI abuse (T1059.008).

NVD Description

A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this issue is some unknown functionality of the component Diagnosis. The manipulation of the argument Destination Address leads to os command injection.…

The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-1616 is a critical vulnerability in the FiberHome AN5506-01A ONU GPON RP2511 device, specifically affecting an unknown functionality within the Diagnosis component. The issue arises from OS command injection triggered by manipulating the Destination Address argument, classified under CWE-77 and CWE-78. It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-24.

The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H) on the affected device, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling arbitrary OS command execution through the injected Destination Address argument.

Advisories from VulDB indicate that the exploit has been publicly disclosed and is available for use, with references at https://vuldb.com/?ctiid.296606, https://vuldb.com/?id.296606, and https://vuldb.com/?submit.501483. The vendor was contacted early regarding the disclosure but provided no response, and no patches or specific mitigations are mentioned.

Details

CWE(s): CWE-77 CWE-78

Affected Products

fiberhome

an5506-01a firmware

rp2511

CVEs Like This One

CVE-2025-1609Shared CWE-77, CWE-78

CVE-2025-10442Shared CWE-77, CWE-78

CVE-2025-8823Shared CWE-77, CWE-78

CVE-2025-14094Shared CWE-77, CWE-78

CVE-2025-9752Shared CWE-77, CWE-78

CVE-2025-2095Shared CWE-77, CWE-78

CVE-2025-10358Shared CWE-77, CWE-78

CVE-2025-8827Shared CWE-77, CWE-78

CVE-2026-5978Shared CWE-77, CWE-78

CVE-2025-2701Shared CWE-77, CWE-78

References

https://vuldb.com/?ctiid.296606
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.296606
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.501483
Third Party Advisory, VDB Entry · cna@vuldb.com