CVE-2025-35027: Unitree Robotics wpa_supplicant_restart.sh Command Injection

AHA! has discovered an issue with the Go2, G1, H1, and B2 series robots (which includes both the quadraped and biped model lines) from Unitree, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on Friday, September 26, 2025. CVE-2025-35027 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010

CVE-2025-8452: Brother Printer Serial Number Disclosure

AHA! has discovered an issue with multi-function printer (MFP) firmware from Brother, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on Thursday, August 14, 2025. CVE-2025-8452 has been assigned to this issue.

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Brother printer firmware advertises the serial number of the device over the network via the “uscan” protocol in its implementation of the eSCL specification. While serial numbers are rarely considered sensitive, in this case, the serial number can be used to derive the default administrator password of the device. Therefore, this is an instance of CWE-538:  Insertion of Sensitive Information into Externally-Accessible File or Directory, and we estimate the CVSS 3.1 rating to be 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) .

CVE-2025-32455: ON Semiconductor Quantenna router_command.sh run_cmd Argument Injection

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-32455 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.

CVE-2025-32456: ON Semiconductor Quantenna router_command.sh put_file_to_qtn Argument Injection

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-32456 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.

CVE-2025-32457: ON Semiconductor Quantenna router_command.sh get_file_from_qtn Argument Injection

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-32457 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.