CVE-2025-67113
Published: 19 March 2026
Summary
CVE-2025-67113 is a critical-severity Code Injection (CWE-94) vulnerability in Fcc (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of the unescaped TR-069 Download URL before it is passed into the firmware upgrade pipeline.
Addresses the specific flaw in CWMP client by identifying, prioritizing, and applying the firmware upgrade to DG3934v3@2308041842 or later.
Enforces restrictions on the types and quantity of TR-069 Download URL inputs to the CWMP client, limiting opportunities for crafted malicious payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote OS command injection in a network-exposed CWMP/TR-069 client, enabling exploitation of a public-facing application (T1190), exploitation of remote services (T1210), and arbitrary Unix shell command execution as root (T1059.004).
NVD Description
OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted TR-069 Download URL that is passed…
more
unescaped into the firmware upgrade pipeline.
Deeper analysisAI
CVE-2025-67113, published on 2026-03-19, is an OS command injection vulnerability (CWE-94) in the CWMP client at /ftl/bin/cwmp within the Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware versions before DG3934v3@2308041842. The flaw enables unescaped input from a TR-069 Download URL to be processed in the firmware upgrade pipeline. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network reach, low complexity, and potential for high-impact confidentiality, integrity, and availability effects.
Remote attackers who control the ACS endpoint can exploit this vulnerability by supplying a crafted TR-069 Download URL during a firmware upgrade interaction. The unescaped URL injects and executes arbitrary OS commands as root on the targeted device, granting full system compromise without requiring user privileges or interaction.
Mitigation requires upgrading to firmware version DG3934v3@2308041842 or later, as earlier versions are affected. Additional details appear in advisories referenced at the FCC report (https://fcc.report/FCC-ID/P27-SCE4255W/4790935.pdf), FreedomFi website (https://freedomfi.com/index.html), and Nero Team blog (https://neroteam.com/blog/freedomfi-sercomm-sce4255w-englewood).
Details
- CWE(s)