CVE-2025-35006 in IPn4Gii
Summary
by MITRE • 06/09/2025
Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFPORTFWD command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability identified as CVE-2025-35006 affects Microhard BulletLTE-NA2 and IPn4Gii-NA2 communication devices that implement the AT+MFPORTFWD command for port forwarding operations. These industrial-grade cellular communication modules are commonly deployed in critical infrastructure environments where reliable connectivity is paramount. The flaw resides in how the system processes command arguments without proper sanitization, creating a pathway for malicious actors to inject arbitrary commands after establishing authentication. This represents a significant security concern as it allows for privilege escalation following successful authentication, potentially enabling attackers to gain elevated system privileges and execute unauthorized operations within the device's operational environment.
The technical root cause of this vulnerability maps directly to CWE-88, which specifically addresses improper neutralization of argument delimiters in command execution contexts. The AT+MFPORTFWD command interface fails to properly validate or sanitize input parameters before incorporating them into system commands, creating an argument injection vulnerability. Attackers can manipulate the command parameters to include malicious payloads that get executed with the privileges of the authenticated user. The CVSS score of 7.1 indicates a high-severity issue with local access requirements, low complexity, and no user interaction needed, while the unspecified scope suggests potential for significant impact across the device's operational capabilities. This vulnerability falls under the ATT&CK technique T1059.001 for Command and Scripting Interpreter, specifically targeting command-line interfaces where argument injection can be leveraged for privilege escalation.
The operational impact of this vulnerability extends beyond simple command execution as it enables attackers to manipulate network forwarding rules and potentially gain access to internal network segments. Given that these devices are often deployed in industrial control systems and remote monitoring applications, the privilege escalation capability could allow adversaries to compromise entire network infrastructures. The lack of a general fix at the time of CVE publication indicates that organizations using these devices face an ongoing risk without immediate remediation options. Security teams must consider the potential for persistent access and data exfiltration capabilities that could be achieved through this vulnerability, particularly in environments where these devices serve as primary communication gateways for critical systems.
Organizations should implement immediate mitigations including network segmentation to limit access to these devices, enforcing strict access controls and authentication mechanisms, and monitoring for unusual command execution patterns. Device firmware updates should be prioritized as soon as vendor patches become available, while administrators should consider disabling unnecessary command interfaces until proper security controls are in place. The vulnerability underscores the importance of input validation and proper command construction in embedded systems, particularly those operating in industrial environments where security is often secondary to operational reliability. Security monitoring should specifically target anomalous behavior in port forwarding configurations and command execution logs to detect potential exploitation attempts.