Cyber Resilience

CVE-2025-6103

HighRCE

Published: 16 June 2025

Published
16 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0200 84.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6103 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A critical OS command injection vulnerability, tracked as CVE-2025-6103 and mapped to CWE-77 and CWE-78, affects the Wifi-soft UniBox Controller through version 20250506. The flaw resides in the /billing/test_accesscodelogin.php file, where unsanitized input to the Password argument allows arbitrary operating-system command execution. The issue carries a CVSS 4.0 score of 7.4 and can be reached over the network without user interaction.

An authenticated remote attacker can supply a crafted Password value to execute commands on the underlying system, resulting in full compromise of confidentiality, integrity, and availability on the controller. Public proof-of-concept code has already been released, enabling straightforward exploitation by anyone with low-privileged network access to the device.

No vendor patch or official mitigation guidance is available; the vendor was notified prior to disclosure but did not respond. The referenced advisories and exploit documentation on Vuldb and GitHub simply record the public release of the attack details without providing work-arounds or configuration changes.

EPSS remains flat at 0.02 with no material rise since publication, indicating limited observed exploitation interest to date despite the availability of working exploit code.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506. Affected by this issue is some unknown functionality of the file /billing/test_accesscodelogin.php. The manipulation of the argument Password leads to os command injection.…

more

The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References