Cyber Resilience

CVE-2025-55423

CriticalPublic PoCRCE

Published: 20 January 2026

Published
20 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0333 87.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-55423 is a critical-severity Code Injection (CWE-94) vulnerability in Iptime A104R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55423 is a command injection vulnerability (CWE-94) in the upnp_relay() function affecting multiple ipTIME router models. The flaw occurs because the controlURL value, which passes port-forwarding information to an upper router, is directly supplied to the system() function without validation or sanitization, enabling OS command injection. Published on 2026-01-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By supplying a crafted controlURL, they can inject arbitrary OS commands, achieving high-impact confidentiality, integrity, and availability compromises, such as full router takeover.

Mitigation guidance and affected product details are documented in vendor and researcher advisories, including the ipTIME support page (https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document), a Google Sheet tracker (https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing), and GitHub resources listing impacted models in JSON format (https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json) and providing further analysis (https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in UPnP service enables unauthenticated remote exploitation of a public-facing application (T1190) and arbitrary OS command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24498Same product: Iptime Ax2004M
CVE-2026-1740Same product: Iptime A8004T
CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-54806Shared CWE-94
CVE-2024-36057Shared CWE-94
CVE-2026-25001Shared CWE-94
CVE-2025-26003Shared CWE-94
CVE-2024-23921Shared CWE-94

Affected Assets

iptime
n104s-r1 firmware
9.90.8 — 10.02.2
iptime
n104v firmware
9.90.8 — 10.06.8
iptime
n1e firmware
9.90.8 — 10.06.8
iptime
n1plus firmware
9.90.8 — 10.06.8
iptime
n1plus-i firmware
9.99.6 — 10.06.8
iptime
n1v firmware
11.01.2 — 12.07.6
iptime
n2e firmware
9.90.8 — 10.06.8
iptime
n2eplus firmware
9.90.8 — 10.06.8
iptime
n2plus firmware
9.90.8 — 10.06.8
iptime
n2plus-i firmware
9.99.6 — 10.06.8
+153 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation and sanitization of the controlURL input prior to passing it to the system() function, preventing OS command injection.

prevent

Requires timely identification, reporting, and correction of the specific command injection flaw in the upnp_relay() function via patching or updates.

prevent

Restricts or disables non-essential UPnP relay functionality on ipTIME routers, eliminating the vulnerable attack surface where possible.

References