CVE-2025-2071
Published: 31 March 2025
Summary
CVE-2025-2071 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fast Lta (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A critical OS command injection vulnerability, tracked as CVE-2025-2071 and assigned CWE-78, affects the FAST LTA Silent Brick WebUI. The flaw stems from insufficient sanitization of untrusted input passed directly to system commands, specifically through the "hd" and "pi" parameters. It carries a CVSS 4.0 score of 10.0 and permits unauthenticated remote code execution on the underlying operating system.
Remote attackers with network access can supply crafted input to the WebUI and execute arbitrary operating system commands. Successful exploitation can lead to unauthorized access, data exfiltration, or complete system takeover without requiring user interaction or credentials.
The referenced vendor advisory points to Silent Brick software version 2.63 as the release addressing the issue, indicating that updating to this version mitigates the command injection vector.
EPSS for the CVE rose from a baseline of 0.0096 to a peak of 0.0165, reflecting a modest increase in predicted exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8717
Vulnerability details
A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which…
more
is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are "hd" and "pi".
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.