CVE-2025-29269
Published: 04 December 2025
Summary
CVE-2025-29269 is a critical-severity OS Command Injection (CWE-78) vulnerability in Allnet All-Rut22Gw Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-29269 is an OS command injection vulnerability affecting ALLNET ALL-RUT22GW version 3.3.8, exploitable via the command parameter in the popen.cgi endpoint. Classified under CWE-78, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By injecting malicious commands through the vulnerable parameter, they can achieve arbitrary operating system command execution on the affected device, enabling full compromise including data theft, modification, or denial of service.
Vendor advisories and further details are available at http://all-rut22gw.com and http://allnet.com, alongside analysis in a blog post on critical vulnerabilities in RUT22GW industrial LTE cellular routers at https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22. The CVE entry does not specify patch availability or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-201252
Vulnerability details
ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing CGI endpoint (popen.cgi), directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the likely Linux-based router.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation and sanitization of the vulnerable 'command' parameter in the popen.cgi endpoint.
Establishes a risk-based process to identify, prioritize, and remediate the specific flaw in popen.cgi that enables arbitrary OS command execution.
Implements boundary protections such as web application firewalls to inspect and block network traffic containing command injection payloads targeting the popen.cgi endpoint.