CVE-2025-20617
CVE-2025-20617
In short
An administrator account in UD-LT2 firmware can be tricked into executing harmful commands on the device by manipulating certain screen requests. This allows an attacker with admin access to take complete control of the system.
Technical detail
OS command injection vulnerability in UD-LT2 firmware ≤1.00.008_SE exists in a specific screen operation handler that fails to properly sanitize user input. An authenticated attacker with administrative privileges can craft malicious requests to execute arbitrary OS commands with system-level privileges, potentially compromising device integrity and confidentiality.
Summary generated and translated by AI from the official description.
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
I-O DATA DEVICE, INC. · UD-LT2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →