CVE-2025-4010: Arbitrary Command Injection in Netcom NTC-6200 & NWL-222

8.6 CVSS

Description

The Netcom NTC 6200 and NWL 222 series expose a web interface to be configured and set up by operators. Multiple endpoints of the web interface are vulnerable to arbitrary command injection and use insecure hardcoded passwords. Remote authenticated attackers can gain arbitrary code execution with elevated privileges.

Classification

CVE ID: CVE-2025-4010

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected Products

Vendor: Netcomm

Product: NTC 6200, NWL-222

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.22% (probability of being exploited)

EPSS Percentile: 44.74% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4010
https://www.onekey.com/resource/security-advisory-remote-command-execution-on-netcomm-ntc-6200-and-nwl-222

Timeline

2025-06-02 08:40:20 UTC
CVE

Arbitrary Command Injection in Netcom NTC-6200 & NWL-222