CVE-2025-2773
Published: 23 April 2025
Summary
CVE-2025-2773 is a high-severity OS Command Injection (CWE-78) vulnerability in Bectechnologies Router Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-2773 is a command injection vulnerability in the management interface of multiple BEC Technologies routers. The flaw resides in the sys ping functionality and stems from insufficient validation of user-supplied input before it is passed to a system call, enabling remote code execution. The interface listens on TCP port 22 by default, and the issue is tracked as ZDI-CAN-25903 with a CVSS 3.0 score of 7.2.
Although authentication is required, the existing mechanism can be bypassed, allowing an attacker who reaches the interface to execute arbitrary code on the device with the privileges of the management process. Successful exploitation grants an attacker full control over the router, including the ability to alter configuration, intercept traffic, or use the device as a pivot point.
The sole advisory reference points to ZDI-25-187 without detailing specific patches or workarounds in the supplied information. The EPSS score rose from a low baseline to a peak of 0.0141 on 2026-02-17 before receding to the current value of 0.0014, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12172
Vulnerability details
BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BEC Technologies Multiple Routers. Although authentication is required to exploit this vulnerability, the existing authentication…
more
mechanism can be bypassed. The specific flaw exists within the management interface, which listens on TCP port 22 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25903.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.