CVE-2025-35006

2025-06-08 3:58:25 PM CDT

ICVE-2025-35006: Microhard Bullet-LTE and IPn4Gii AT+MFPORTFWD Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35006 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

CVE-2025-35007

2025-06-08 3:58:25 PM CDT

CVE-2025-35007: Microhard Bullet-LTE and IPn4Gii AT+MFRULE Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35007 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

CVE-2025-35008

2025-06-08 3:58:25 PM CDT

CVE-2025-35008: Microhard Bullet-LTE and IPn4Gii AT+MMNAME Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35008 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

CVE-2025-35009

2025-06-08 3:58:25 PM CDT

CVE-2025-35009: Microhard Bullet-LTE and IPn4Gii AT+MNNETSP Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35009 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.

CVE-2025-35010

2025-06-08 3:58:25 PM CDT

CVE-2025-35010: Microhard Bullet-LTE and IPn4Gii AT+MNPINGTM Argument Injection

AHA! has discovered an issue with multiple Microhard products, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-35010 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue that can lead to privilege escalation. This is an instance of CWE-88, “Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’),” and is estimated as a CVSS 7.1.