CVE-2025-9972
Published: 17 September 2025
Summary
CVE-2025-9972 is a critical-severity OS Command Injection (CWE-78) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9972 is an OS command injection vulnerability (CWE-78) affecting certain models of Industrial Cellular Gateway devices developed by Planet Technology. Published on 2025-09-17, the flaw enables unauthenticated remote attackers to inject and execute arbitrary OS commands on the device. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers with network access to the affected device can exploit this vulnerability remotely without requiring privileges or user interaction. Exploitation allows full execution of arbitrary operating system commands, granting attackers potential control over the device for malicious purposes such as data exfiltration, modification, or disruption.
Security advisories from Planet Technology and TWCERT provide further details on the vulnerability, including affected models and recommended mitigations: https://www.planet.com.tw/en/support/security-advisory/8, https://www.twcert.org.tw/en/cp-139-10390-7ce12-2.html, and https://www.twcert.org.tw/tw/cp-132-10389-265a3-1.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29700
Vulnerability details
Certain models of Industrial Cellular Gateway developed by Planet Technology have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via OS command injection on public-facing gateway enables T1190 for initial access and T1059.004 for Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the specific OS command injection flaw through patching and testing as recommended in vendor advisories.
Prevents OS command injection by requiring validation of all inputs to block arbitrary command execution on the device.
Mitigates unauthenticated remote access by requiring identification and authentication for non-organizational users interacting with the vulnerable gateway.