• Menu ▾
• • Home
  • About
  • Rules
  • Chat
  • CVE
  • Mailing List
  • Meetings
  • Our Spawn
  • Contact

CVE-2025-35007

2025-06-08 3:58:25 PM CDT

CVE-2025-35007: Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35007 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

Read more

CVE-2025-35008

2025-06-08 3:58:25 PM CDT

CVE-2025-35008: Microhard Bullet-LTE and IPn4Gii AT+MMNAME Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35008 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

Read more

CVE-2025-35009

2025-06-08 3:58:25 PM CDT

CVE-2025-35009: Microhard Bullet-LTE and IPn4Gii AT+MNNETSP Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35009 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

Read more

CVE-2025-35010

2025-06-08 3:58:25 PM CDT

CVE-2025-35010: Microhard Bullet-LTE and IPn4Gii AT+MNPINGTM Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35010 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

Read more

CVE-2025-2894

2025-03-27 8:57:25 PM CDT

CVE-2025-2894: Unitree Go1 Backdoor Control Channel

AHA! has discovered an issue with the Go1 from Unitree, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on March 27, 2025. CVE-2025-2894 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Unitree, makers of the Go1, also known as “The World’s First Intelligence Bionic Quadruped Robot Companion of Consumer Level,” contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the CloudSail remote access service by Oray.

Read more

← Newer posts Older posts →