Cyber Resilience

CVE-2025-9972

CriticalRCE

Published: 17 September 2025

Published
17 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 50.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9972 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9972 is an OS command injection vulnerability (CWE-78) affecting certain models of Industrial Cellular Gateway devices developed by Planet Technology. Published on 2025-09-17, the flaw enables unauthenticated remote attackers to inject and execute arbitrary OS commands on the device. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.

Unauthenticated attackers with network access to the affected device can exploit this vulnerability remotely without requiring privileges or user interaction. Exploitation allows full execution of arbitrary operating system commands, granting attackers potential control over the device for malicious purposes such as data exfiltration, modification, or disruption.

Security advisories from Planet Technology and TWCERT provide further details on the vulnerability, including affected models and recommended mitigations: https://www.planet.com.tw/en/support/security-advisory/8, https://www.twcert.org.tw/en/cp-139-10390-7ce12-2.html, and https://www.twcert.org.tw/tw/cp-132-10389-265a3-1.html.

EU & UK References

Vulnerability details

Certain models of Industrial Cellular Gateway developed by Planet Technology have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE via OS command injection on public-facing gateway enables T1190 for initial access and T1059.004 for Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates timely remediation of the specific OS command injection flaw through patching and testing as recommended in vendor advisories.

prevent

Prevents OS command injection by requiring validation of all inputs to block arbitrary command execution on the device.

prevent

Mitigates unauthenticated remote access by requiring identification and authentication for non-organizational users interacting with the vulnerable gateway.

References