Cyber Resilience

CVE-2025-2071

CriticalRCE

Published: 31 March 2025

Published
31 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:X/V:X/RE:M/U:Amber
EPSS Score 0.0096 77.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2071 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fast Lta (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A critical OS command injection vulnerability, tracked as CVE-2025-2071 and assigned CWE-78, affects the FAST LTA Silent Brick WebUI. The flaw stems from insufficient sanitization of untrusted input passed directly to system commands, specifically through the "hd" and "pi" parameters. It carries a CVSS 4.0 score of 10.0 and permits unauthenticated remote code execution on the underlying operating system.

Remote attackers with network access can supply crafted input to the WebUI and execute arbitrary operating system commands. Successful exploitation can lead to unauthorized access, data exfiltration, or complete system takeover without requiring user interaction or credentials.

The referenced vendor advisory points to Silent Brick software version 2.63 as the release addressing the issue, indicating that updating to this version mitigates the command injection vector.

EPSS for the CVE rose from a baseline of 0.0096 to a peak of 0.0165, reflecting a modest increase in predicted exploitation interest after disclosure.

EU & UK References

Vulnerability details

A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which…

more

is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are "hd" and "pi".

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Fast Lta
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References