CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay

AHA! has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero’s standard disclosure policy today, November 3, 2025. CVE-2025-35021 has been assigned to this issue. Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100

Executive Summary

By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of CWE-1188, ‘Initialization of a Resource with an Insecure Default,’ and is estimated to have a CVSS 3.1 score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant SSVC vectors for this vulnerability are Exploitation: PoC and Technical Impact: Partial.

CVE-2025-35027: Unitree Robotics wpa_supplicant_restart.sh Command Injection

AHA! has discovered an issue with the Go2, G1, H1, and B2 series robots (which includes both the quadraped and biped model lines) from Unitree, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on Friday, September 26, 2025. CVE-2025-35027 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010

CVE-2025-8452: Brother Printer Serial Number Disclosure

AHA! has discovered an issue with multi-function printer (MFP) firmware from Brother, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on Thursday, August 14, 2025. CVE-2025-8452 has been assigned to this issue.

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Brother printer firmware advertises the serial number of the device over the network via the “uscan” protocol in its implementation of the eSCL specification. While serial numbers are rarely considered sensitive, in this case, the serial number can be used to derive the default administrator password of the device. Therefore, this is an instance of CWE-538:  Insertion of Sensitive Information into Externally-Accessible File or Directory, and we estimate the CVSS 3.1 rating to be 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) .

CVE-2025-32455: ON Semiconductor Quantenna router_command.sh run_cmd Argument Injection

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-32455 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.

CVE-2025-32456: ON Semiconductor Quantenna router_command.sh put_file_to_qtn Argument Injection

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-32456 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.