CVE-2025-35008

EUVD-2025-17400

08.06.2025, 21:15

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

Argument Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AHA	CNA	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Affected Products (NVD)

Vendor	Product	Version
microhardcorp	ipn4gii-na2_firmware	𝑥 ≤ 1.2.0-r1132
microhardcorp	bulletlte-na2_firmware	𝑥 ≤ 1.2.0-r1132

𝑥

= Vulnerable software versions

Known Exploits!

https://takeonme.org/cves/cve-2025-35008/

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

https://support.microhardcorp.com/portal/en/kb/articles/ipn4gii-bullet-lte-firmware

https://takeonme.org/cves/cve-2025-35008/

https://www.microhardcorp.com/BulletLTE-NA2.php

https://www.microhardcorp.com/IPn4Gii-NA2.php