CVE-2025-41379 in Iridium Certus 700
Summary
by MITRE • 05/23/2025
The Intellian C700 web panel allows you to add firewall rules. Each of these rules has an associated ID, but there is a problem when adding a new rule, the ID used to create the database entry may be different from the JSON ID. If the rule needs to be deleted later, the system will use the JSON ID and therefore fail. This can be exploited by an attacker to create rules that cannot be deleted unless the device is reset to factory defaults.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/23/2025
The vulnerability identified as CVE-2025-41379 resides within the Intellian C700 web panel firmware, specifically targeting the firewall rule management functionality. This issue represents a critical inconsistency in the system's data handling mechanisms where the internal database storage of firewall rules employs a different identification scheme than what is exposed through the JSON API interface. The fundamental flaw manifests when an attacker creates a new firewall rule through the web interface, as the system assigns a unique internal ID for database persistence while simultaneously exposing a different JSON ID through the application programming interface. This discrepancy creates a fundamental mismatch in the system's rule management capabilities, particularly during deletion operations where the system references the JSON ID rather than the internal database ID.
The operational impact of this vulnerability extends beyond simple administrative inconvenience to represent a potential security escalation path. When an attacker successfully creates a firewall rule with this ID mismatch, they effectively create a persistent backdoor or persistent rule that cannot be removed through normal administrative procedures. The system's inability to locate and delete the rule using the JSON ID means that the malicious rule remains active until the device undergoes a complete factory reset, which represents a significant operational risk for network administrators who may not be aware of the presence of such undeleatable rules. This vulnerability directly maps to CWE-1286, which describes the weakness of inconsistent handling of identifiers across different system components, and aligns with ATT&CK technique T1562.001 for "Disable or Modify Tools" where attackers could maintain persistence through undeleatable firewall rules.
The technical exploitation of this vulnerability requires minimal privileges and can be accomplished through the standard web panel interface, making it particularly dangerous as it does not require specialized attack tools or elevated access levels. Attackers can leverage this inconsistency to create rules that appear in the system's rule listing but cannot be removed through standard deletion commands, effectively creating a rule that persists through system reboots and normal administrative operations. The vulnerability's persistence mechanism is particularly concerning as it allows for long-term network infiltration without detection, as the rule management interface would appear to function normally while silently failing to remove specific entries. Network security teams should consider this vulnerability as part of their broader threat modeling efforts, particularly in environments where firewall rule management is critical for network segmentation and access control. The vulnerability's impact is exacerbated by the fact that it may go undetected for extended periods, as administrators would not realize that certain rules cannot be removed through normal operations, potentially creating a false sense of security in the firewall configuration.