CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-35007: Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection

7.1 CVSS

Description

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.

Classification

CVE ID: CVE-2025-35007

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Affected Products

Vendor: Microhard

Product: IPn4Gii / Bullet-LTE Firmware

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 26.46% (scored less or equal to compared to others)

EPSS Date: 2025-06-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-35007
https://takeonme.org/cves/cve-2025-35007/
https://www.microhardcorp.com/BulletLTE-NA2.php
https://www.microhardcorp.com/IPn4Gii-NA2.php
https://support.microhardcorp.com/portal/en/kb/articles/ipn4gii-bullet-lte-firmware

Timeline

2025-06-08 22:40:11 UTC
CVE

Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection