CVE-2025-0680: New Rock Technologies Cloud Connected Devices has a Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vuln...

9.3 CVSS

Description

Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.

Classification

CVE ID: CVE-2025-0680

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor: New Rock Technologies

Product: OM500 IP-PBX

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.06% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02
https://www.newrocktech.com/ContactUs/index.html

Timeline

2025-01-30 18:15:27 UTC
All CISA Advisories

New Rock Technologies Cloud Connected Devices
2025-01-31 00:30:21 UTC
CVE

New Rock Technologies Cloud Connected Devices has a Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vuln...