Cyber Resilience

CVE-2025-6104

HighRCE

Published: 16 June 2025

Published
16 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0200 84.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6104 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A critical OS command injection vulnerability, tracked as CVE-2025-6104 and assigned CWE-77 and CWE-78, exists in Wifi-soft UniBox Controller versions through 20250506. The flaw resides in an unauthenticated code path within the file /billing/pms_check.php, where the ipaddress parameter is passed directly to a system command without proper sanitization.

An authenticated remote attacker can supply a crafted ipaddress value to execute arbitrary operating-system commands on the controller. Successful exploitation grants the attacker full control over the affected device, including the ability to read or modify sensitive data and alter system behavior, with the attack surface reachable over the network.

Public proof-of-concept material has been released, and the vendor was notified prior to disclosure but provided no response or patch. The EPSS score remains low and unchanged at 0.02, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Wifi-soft UniBox Controller up to 20250506. This affects an unknown part of the file /billing/pms_check.php. The manipulation of the argument ipaddress leads to os command injection. It is possible to…

more

initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References