CVE-2025-3460: ON Semiconductor Quantenna set_tx_pow Argument Injection#

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-3460 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.7.

Technical Details#

The set_tx_pow script is vulnerable to command injection. Observe the following code snippet:

max_tx_power=`get_bootval max_tx_power`
min_tx_power=`get_bootval min_tx_power`

power=$1

There is no sanitization on the first argument, allowing an attacker to put any command they want in there and it will run. An example of remote exploitation of this vulnerability would be to use the qcsapi rpc service to run the run_script command on the set_tx_pow script as follows:

qcsapi_sockrpc run_script set_tx_pow "\`/usr/sbin/inetd\`"

This would cause a telnet service to spawn on the affected chip, but the command could be anything and would run as root.

Attacker Value#

Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable the qcsapi rpc service in their end product, an attacker can use this vulnerability to run any command as root, noting especially the ability to enable the telnet service (and thus, chaining this issue with the issue described in CVE-2025-3461). This, in turn, can allow the attacker to essentially take complete control of the Quantenna Wi-Fi chip remotely, without authentication.

Note that it may be tricky to identify what end products incorporate this chipset. If you’re aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.

Credit#

This vulnerability was discovered and documented by Ricky “HeadlessZeke” Lawshae of Keysight.

Timeline#

  • 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
  • 2025-04-02 (Wed): Contact initiated to [email protected]
  • 2025-04-08 (Tue): Discovered and contact established with [email protected].
  • 2025-04-11 (Fri): Acknowledged by the vendor
  • 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
  • 2025-05-19 (Mon): Draft best practices report shared with AHA!
  • 2025-05-30 (Fri): Best practices guidance published by the vendor
  • 2025-06-08 (Sun): Public disclosure of CVE-2025-3460