CVE-2025-13798: Unveiling a Command Injection Flaw in ADSLR NBR1005GPEV2 Routers

Overview

CVE-2025-13798 is a medium-severity vulnerability affecting ADSLR NBR1005GPEV2 routers with firmware version 250814-r037c. This flaw allows a remote attacker to inject arbitrary commands through the ap_macfilter_add function in the /send_order.cgi file. The vulnerability stems from improper sanitization of the mac argument, leading to command execution with elevated privileges.

This issue has been publicly disclosed and a proof-of-concept exploit is available, increasing the risk of exploitation in the wild. The vendor was contacted regarding this vulnerability but has not yet provided a response.

Technical Details

The vulnerability lies within the ap_macfilter_add function, accessed via the /send_order.cgi endpoint. By manipulating the mac parameter sent to this function, an attacker can inject operating system commands. The lack of proper input validation allows the injected commands to be executed on the router’s system with the privileges of the web server process. The specific payload and method of exploitation are detailed in the publicly available resources.

The vulnerable parameter mac is not properly sanitized before being used in a system call, allowing an attacker to append shell commands that will be executed by the underlying operating system.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13798 is 6.3, indicating a MEDIUM severity vulnerability. The CVSS vector is likely AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (or similar), meaning:

• AV:N (Attack Vector: Network): The vulnerability is exploitable over the network.
• AC:L (Attack Complexity: Low): Exploitation is relatively easy.
• PR:N (Privileges Required: None): No privileges are required to exploit the vulnerability.
• UI:R (User Interaction: Required): User interaction is required. Although the vector shows user interaction required, the exact vector may vary based on the specifics.
• S:U (Scope: Unchanged): The vulnerability only affects the vulnerable component.
• C:L (Confidentiality: Low): Limited impact on confidentiality.
• I:L (Integrity: Low): Limited impact on integrity.
• A:L (Availability: Low): Limited impact on availability.

Possible Impact

Successful exploitation of CVE-2025-13798 could allow an attacker to:

• Gain unauthorized access to the router’s configuration.
• Modify the router’s settings, including DNS servers, potentially redirecting traffic to malicious sites.
• Install malware on the router.
• Disrupt network services by causing a denial-of-service (DoS).
• Potentially pivot to other devices on the network.

Mitigation or Patch Steps

Unfortunately, the vendor has not released a patch or provided any mitigation guidance as of this writing. In the absence of an official fix, the following steps are recommended:

• Discontinue use of the affected ADSLR NBR1005GPEV2 router. This is the most secure option.
• Implement strict access control measures. Ensure that only authorized users have access to the router’s web interface.
• Monitor network traffic for suspicious activity. Look for unusual patterns or requests to the /send_order.cgi endpoint.
• Implement a web application firewall (WAF) or intrusion detection/prevention system (IDS/IPS) to detect and block malicious requests targeting the vulnerable endpoint. This may be challenging in a home router environment.
• Consider using a different router model from a vendor with a better track record of security updates.

References

• VULDB – CVE-2025-13798
• VULDB – ADSLR NBR1005GPEV2 ap_macfilter_add Command Injection
• VULDB – Proof of Concept Submission
• Notion – Exploit Details (Potentially requires account)