CVE-2025-55423

EUVD-2026-3376
A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
iptimen104s-r1_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen104v_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen1e_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen1plus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen1plus-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen1v_firmware
11.01.2 ≤
𝑥
≤ 12.07.6
iptimen2e_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen2eplus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen2plus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen2plus-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen2v_firmware
10.09.2 ≤
𝑥
≤ 12.16.8
iptimen2vs_firmware
12.16.8
iptimen3_firmware
9.93.2 ≤
𝑥
≤ 10.06.8
iptimen3-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen5_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen5-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen6_firmware
9.96.8 ≤
𝑥
≤ 10.06.8
iptimen600_firmware
10.00.8 ≤
𝑥
≤ 12.16.2
iptimen6004r_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen602e_firmware
11.96.6 ≤
𝑥
≤ 12.16.8
iptimen602eplus_firmware
12.14.2 ≤
𝑥
≤ 12.16.2
iptimen602se_firmware
14.19.0 ≤
𝑥
≤ 14.19.4
iptimen604_black_firmware
9.93.8 ≤
𝑥
≤ 12.16.2
iptimen604a_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen604e_firmware
10.09.2 ≤
𝑥
≤ 14.19.4
iptimen604eplus_firmware
12.14.2 ≤
𝑥
≤ 14.19.4
iptimen604plus_firmware
9.90.8 ≤
𝑥
≤ 12.15.2
iptimen604plus-i_firmware
9.99.6 ≤
𝑥
≤ 12.14.6
iptimen604r_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen604rplus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen604rplus-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen604s_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen604se_firmware
14.18.4 ≤
𝑥
≤ 14.19.4
iptimen604t_firmware
9.90.8 ≤
𝑥
≤ 10.03.2
iptimen604tplus_firmware
9.90.8 ≤
𝑥
≤ 10.03.2
iptimen604v_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen604vplus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen7004ns_firmware
9.91.2
iptimen702bcm_firmware
9.90.8 ≤
𝑥
≤ 12.16.2
iptimen702e_firmware
10.09.2 ≤
𝑥
≤ 12.16.2
iptimeax11000_firmware
14.16.6 ≤
𝑥
≤ 14.19.4
iptimeax2002mesh_firmware
14.16.6 ≤
𝑥
≤ 14.19.4
iptimeax2004_firmware
14.17.4 ≤
𝑥
≤ 14.19.4
iptimeax2004bcm_firmware
12.04.2 ≤
𝑥
≤ 14.19.4
iptimeax2004m_firmware
14.02.0 ≤
𝑥
≤ 14.19.4
iptimeax3004bcm_firmware
14.16.2 ≤
𝑥
≤ 14.19.4
iptimeax3004itl_firmware
12.01.2 ≤
𝑥
≤ 14.19.4
iptimeax8004bcm_firmware
11.97.2 ≤
𝑥
≤ 14.19.4
iptimeax8004m_firmware
14.05.2 ≤
𝑥
≤ 14.19.4
iptimeax8008m_firmware
14.15.4 ≤
𝑥
≤ 14.19.4
iptimea1_firmware
9.96.8 ≤
𝑥
≤ 10.07.4
iptimea1004_firmware
9.90.8 ≤
𝑥
≤ 12.16.2
iptimea1004ns_firmware
9.96.0 ≤
𝑥
≤ 12.16.2
iptimea1004v_firmware
9.90.8 ≤
𝑥
≤ 12.16.2
iptimea104_firmware
9.90.8 ≤
𝑥
≤ 10.03.8
iptimea104ns_firmware
9.96.0 ≤
𝑥
≤ 12.16.2
iptimea104r_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea104r_firmware
-
iptimea2003mu_firmware
12.13.0 ≤
𝑥
≤ 12.16.2
iptimea2003ns-mu_firmware
10.00.6 ≤
𝑥
≤ 12.16.2
iptimea2004_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea2004mu_firmware
10.08.6 ≤
𝑥
≤ 12.17.0
iptimea2004ns_firmware
9.90.8 ≤
𝑥
≤ 11.00.4
iptimea2004ns-mu_firmware
10.08.6 ≤
𝑥
≤ 12.17.0
iptimea2004ns-r_firmware
9.90.8 ≤
𝑥
≤ 11.00.4
iptimea2004nsplus_firmware
9.90.8 ≤
𝑥
≤ 11.00.4
iptimea2004plus_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea2004r_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea2004se_firmware
14.16.6 ≤
𝑥
≤ 14.19.4
iptimea2008_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea3_firmware
9.97.2 ≤
𝑥
≤ 10.07.2
iptimea3002mesh_firmware
12.05.4 ≤
𝑥
≤ 14.19.4
iptimea3003ns_firmware
9.99.8 ≤
𝑥
≤ 11.00.4
iptimea3004_firmware
9.90.8 ≤
𝑥
≤ 10.08.2
iptimea3004-dual_firmware
9.90.4 ≤
𝑥
≤ 10.07.2
iptimea3004m_firmware
14.18.4 ≤
𝑥
≤ 14.19.4
iptimea3004ns_firmware
9.90.2 ≤
𝑥
≤ 10.09.4
iptimea3004ns-bcm_firmware
9.95.8 ≤
𝑥
≤ 11.00.4
iptimea3004ns-dual_firmware
9.90.4 ≤
𝑥
≤ 12.09.4
iptimea3004ns-m_firmware
10.05.4 ≤
𝑥
≤ 14.19.4
iptimea3004t_firmware
12.10.2 ≤
𝑥
≤ 14.19.4
iptimea3004tw_firmware
14.15.2 ≤
𝑥
≤ 14.19.4
iptimea3008-mu_firmware
10.08.4 ≤
𝑥
≤ 14.19.4
iptimea304_firmware
10.05.4 ≤
𝑥
≤ 10.07.4
iptimea5004ns_firmware
9.90.2 ≤
𝑥
≤ 11.00.4
iptimea5004ns-m_firmware
10.05.4 ≤
𝑥
≤ 14.19.4
iptimea6004mx_firmware
12.04.6 ≤
𝑥
≤ 14.19.4
iptimea6004ns_firmware
9.90.2 ≤
𝑥
≤ 11.00.4
iptimea6004ns-m_firmware
9.99.8 ≤
𝑥
≤ 14.19.4
iptimea604_firmware
9.90.8 ≤
𝑥
≤ 12.06.6
iptimea604-v3_firmware
10.01.6 ≤
𝑥
≤ 10.07.2
iptimea604-v5_firmware
10.09.2 ≤
𝑥
≤ 12.16.2
iptimea604g-mu_firmware
10.07.4 ≤
𝑥
≤ 12.16.2
iptimea604g-skylife_firmware
12.02.4 ≤
𝑥
≤ 12.12.4
iptimea604m_firmware
10.06.4 ≤
𝑥
≤ 10.07.2
iptimea604mu_firmware
12.12.4 ≤
𝑥
≤ 12.16.2
iptimea604r_firmware
10.09.2 ≤
𝑥
≤ 12.16.2
iptimea604se_firmware
14.17.2 ≤
𝑥
≤ 14.19.4
iptimea604v_firmware
9.90.8 ≤
𝑥
≤ 10.07.4
iptimea6ns-m_firmware
10.01.6 ≤
𝑥
≤ 14.19.4
iptimea7004m_firmware
10.06.8 ≤
𝑥
≤ 14.19.4
iptimea704ns-bcm_firmware
9.95.8 ≤
𝑥
≤ 11.00.4
iptimea7ns_firmware
9.96.0 ≤
𝑥
≤ 11.00.4
iptimea8004bcm_firmware
11.99.1 ≤
𝑥
≤ 12.16.2
iptimea8004itl_firmware
11.00.4 ≤
𝑥
≤ 14.19.4
iptimea8004ns-m_firmware
9.99.2 ≤
𝑥
≤ 14.19.4
iptimea8004t_firmware
10.06.8 ≤
𝑥
≤ 14.19.4
iptimea8004t-xr_firmware
11.97.2 ≤
𝑥
≤ 14.19.4
iptimea804ns-mu_firmware
10.06.4 ≤
𝑥
≤ 12.10.2
iptimea8ns-m_firmware
10.03.2 ≤
𝑥
≤ 14.19.4
iptimea9004m_firmware
10.05.4 ≤
𝑥
≤ 14.19.4
iptimea9004m-x2_firmware
11.98.2 ≤
𝑥
≤ 14.19.4
iptimeew302n_firmware
9.90.8 ≤
𝑥
≤ 12.16.2
iptimen102e_firmware
11.00.8 ≤
𝑥
≤ 12.15.2
iptimen102eplus_firmware
12.14.2 ≤
𝑥
≤ 12.15.2
iptimen102i_firmware
11.01.2 ≤
𝑥
≤ 12.15.2
iptimen102iplus_firmware
12.14.2 ≤
𝑥
≤ 12.15.2
iptimen104_black_firmware
9.93.8 ≤
𝑥
≤ 10.06.8
iptimen104e_firmware
10.09.4 ≤
𝑥
≤ 12.15.2
iptimen104eplus_firmware
12.14.2 ≤
𝑥
≤ 12.15.2
iptimen104k_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen104plus_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen104plus-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen104q_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen104q-i_firmware
9.99.6 ≤
𝑥
≤ 10.06.8
iptimen104r_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen702eplus_firmware
12.12.4 ≤
𝑥
≤ 12.16.2
iptimen702r_firmware
10.05.8 ≤
𝑥
≤ 10.06.8
iptimen704-a3_firmware
9.90.8 ≤
𝑥
≤ 10.06.8
iptimen704bcm_firmware
9.90.8 ≤
𝑥
≤ 12.16.2
iptimen704e_firmware
11.98.4 ≤
𝑥
≤ 12.16.2
iptimen704eplus_firmware
12.14.2 ≤
𝑥
≤ 12.16.2
iptimen704ns_firmware
9.91.4 ≤
𝑥
≤ 9.96.0
iptimen704qca_firmware
10.02.4 ≤
𝑥
≤ 12.16.2
iptimen704v3_firmware
9.90.8 ≤
𝑥
≤ 12.10.2
iptimen8004r_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen8004v_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen804_firmware
9.91.2 ≤
𝑥
≤ 9.96.8
iptimen804a_firmware
9.91.2 ≤
𝑥
≤ 9.96.8
iptimen804a3_firmware
9.90.8 ≤
𝑥
≤ 9.96.8
iptimen804r_firmware
10.06.4 ≤
𝑥
≤ 12.16.2
iptimen804t_firmware
9.91.2 ≤
𝑥
≤ 9.96.8
iptimen804t3_firmware
9.90.8 ≤
𝑥
≤ 9.96.8
iptimen804v_firmware
9.91.2 ≤
𝑥
≤ 9.96.8
iptimen904_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen904ns_firmware
9.91.4 ≤
𝑥
≤ 9.96.0
iptimen904plus_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimen904v_firmware
9.90.8 ≤
𝑥
≤ 10.02.2
iptimesmart_firmware
9.90.8 ≤
𝑥
≤ 9.94.2
iptimeq1_firmware
9.91.2
iptimeq304_firmware
9.91.2
iptimeq504_firmware
9.91.2
iptimeq604_firmware
9.91.2
iptimet16000_firmware
9.91.2 ≤
𝑥
≤ 11.03.6
iptimet16000m_firmware
12.07.4 ≤
𝑥
≤ 14.19.4
iptimet24000_firmware
9.91.2 ≤
𝑥
≤ 11.03.6
iptimet24000m_firmware
12.07.4 ≤
𝑥
≤ 14.19.4
iptimet3004_firmware
9.90.8 ≤
𝑥
≤ 12.07.6
iptimet3008_firmware
9.90.8 ≤
𝑥
≤ 12.09.6
iptimet5004_firmware
11.96.4 ≤
𝑥
≤ 14.19.4
iptimet5008_firmware
11.98.2 ≤
𝑥
≤ 14.19.4
iptimev304_firmware
9.91.2
iptimev504_firmware
9.90.8 ≤
𝑥
≤ 12.15.2
iptimev508_firmware
10.02.2 ≤
𝑥
≤ 10.06.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing
https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md
https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json
https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document