Cyber Resilience

CVE-2025-2701

MediumPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0158 82.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2701 is a medium-severity Command Injection (CWE-77) vulnerability in Amttgroup Hibos. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2701 is an OS command injection vulnerability in AMTT Hotel Broadband Operation System version 1.0. It resides in the popen function within the file /manager/network/port_setup.php, where unsanitized input to the arguments SwitchVersion, SwitchWrite, SwitchIP, SwitchIndex, or SwitchState is passed directly to the operating system.

An authenticated remote attacker can supply crafted values to these parameters and execute arbitrary operating-system commands on the affected server. The attack requires low privileges and no user interaction, and a working exploit has already been published.

No vendor patch or official mitigation guidance is available; the vendor was notified but did not respond. Public references consist of a proof-of-concept disclosure and several vulnerability-database entries that reiterate the same details.

The EPSS score rose from a low baseline to a recorded peak of 0.0291, indicating increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in AMTT Hotel Broadband Operation System 1.0. This vulnerability affects the function popen of the file /manager/network/port_setup.php. The manipulation of the argument SwitchVersion/SwitchWrite/SwitchIP/SwitchIndex/SwitchState leads to os command injection. The attack can be initiated…

more

remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote OS command injection in a public-facing web management interface (/manager/network/port_setup.php) enables exploitation of public-facing applications (T1190) and indirect command execution via popen (T1202).

CVEs Like This One

CVE-2016-15048Same product: Amttgroup Hibos
CVE-2025-1610Shared CWE-77, CWE-78
CVE-2025-8830Shared CWE-77, CWE-78
CVE-2025-7414Shared CWE-77, CWE-78
CVE-2025-8823Shared CWE-77, CWE-78
CVE-2025-10359Shared CWE-77, CWE-78
CVE-2025-8828Shared CWE-77, CWE-78
CVE-2025-10327Shared CWE-77, CWE-78
CVE-2025-7788Shared CWE-77, CWE-78
CVE-2025-14586Shared CWE-77, CWE-78

Affected Assets

amttgroup
hibos
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of manipulated inputs like SwitchVersion, SwitchWrite, SwitchIP, SwitchIndex, and SwitchState before passing to popen.

prevent

Requires timely remediation of known flaws such as this critical OS command injection vulnerability through patching or compensatory controls.

prevent

Restricts information inputs to the vulnerable parameters to only organization-defined allowed values, blocking many malicious command injection payloads.

References