Cyber Resilience

CVE-2025-66848

CriticalRCE

Published: 30 December 2025

Published
30 December 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 58.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66848 is a critical-severity Code Injection (CWE-94) vulnerability in Jdcloud Ax1800 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-66848 is an unauthorized remote command execution vulnerability (CWE-94) present in JD Cloud NAS routers. Affected models and versions include AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-30.

Remote attackers with network access to affected routers can exploit this vulnerability without authentication, privileges, or user interaction. Successful exploitation enables arbitrary command execution, potentially leading to high-impact compromise of confidentiality, integrity, and availability on the targeted devices.

Mitigation guidance is available in vendor advisories, including those at http://jd.com, https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2, and https://www.jdcloud.com/cn/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthorized remote command execution (RCE) on public-facing JD Cloud NAS routers without authentication, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25789Shared CWE-94
CVE-2025-26264Shared CWE-94
CVE-2025-11539Shared CWE-94
CVE-2025-2803Shared CWE-94
CVE-2026-33479Shared CWE-94
CVE-2025-13773Shared CWE-94
CVE-2026-37712Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-8417Shared CWE-94
CVE-2024-13495Shared CWE-94

Affected Assets

jdcloud
ax1800 firmware
≤ 4.3.1.r4308
jdcloud
ax3000 firmware
≤ 4.3.1.r4318
jdcloud
ax6600 firmware
≤ 4.5.1.r4533
jdcloud
be6500 firmware
≤ 4.4.1.r4308
jdcloud
er1 firmware
≤ 4.5.1.r4518
jdcloud
er2 firmware
≤ 4.5.1.r4518

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of flaws such as this unauthorized remote command execution vulnerability in router firmware.

prevent

Explicitly identifies, authorizes, and controls actions performable without identification or authentication, preventing unauthorized remote command execution.

prevent

Monitors and controls communications at external interfaces, restricting network access to vulnerable NAS routers and blocking exploitation attempts.

References