CVE-2025-43984

CriticalRCE

Published: 14 August 2025

Published

14 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0089 75.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43984 is a critical-severity OS Command Injection (CWE-78) vulnerability in Proton (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs like the SSID parameter in POST requests to /goform/goform_set_cmd_process, directly preventing command injection exploitation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations, blocking unauthenticated remote access to the vulnerable endpoint and preventing arbitrary command execution.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws like this command injection vulnerability through timely patching or firmware updates.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated command injection in a network-exposed web endpoint directly enables remote exploitation of a public-facing application for root OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.

Deeper analysisAI

CVE-2025-43984 is a critical command injection vulnerability (CWE-78) discovered in KuWFi GC111 devices, specifically Hardware Version CPE-LM321_V3.2 and Software Version GC111-GL-LM321_V3.0_20191211. The flaw resides in the unauthenticated /goform/goform_set_cmd_process endpoint, where a crafted POST request manipulating the SSID parameter enables attackers to execute arbitrary OS commands with root privileges. Published on 2025-08-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Any remote attacker with network access to the affected device can exploit this vulnerability without authentication, privileges, or user interaction. By sending a specially crafted POST request, they achieve root-level command execution, potentially resulting in complete device takeover, data exfiltration, persistent access, or disruption of services.

Reference materials, including proof-of-concept details, are available at provided URLs such as GitHub repositories (actuator/cve) and the KuWFi product page; no specific vendor advisories or patches are detailed in the CVE description.