CVE-2025-66848 in Cloud NAS Router
Summary
by MITRE • 12/30/2025
JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability identified as CVE-2025-66848 affects multiple JD Cloud NAS router models including AX1800, AX3000, AX6600, BE6500, ER1, and ER2 with specific firmware versions. This represents a critical security flaw that allows unauthorized remote command execution, potentially enabling attackers to gain full control over affected devices. The vulnerability exists within the router firmware implementations and affects devices running firmware versions up to and including the specified release numbers. These devices are widely deployed in both residential and small business environments, making the impact of this vulnerability significant across multiple network segments.
The technical flaw manifests through insufficient input validation and authentication mechanisms within the router's web interface and remote management protocols. Attackers can exploit this vulnerability by sending specially crafted requests to the device's management interface without requiring legitimate credentials, allowing them to execute arbitrary commands on the underlying operating system. This type of vulnerability falls under CWE-77 and CWE-20 categories, representing command injection and input validation flaws respectively. The vulnerability enables attackers to bypass authentication mechanisms entirely and gain root-level access to the device, which aligns with ATT&CK technique T1059 for command and scripting interpreter and T1021 for remote services.
The operational impact of this vulnerability is severe and multifaceted, as compromised routers can serve as entry points for broader network attacks. Once an attacker gains command execution capabilities, they can modify router configurations, redirect traffic through malicious proxies, install persistent backdoors, or use the device as a pivot point to attack other systems within the local network. The affected devices may also be used to launch distributed denial-of-service attacks or to create botnets for further malicious activities. Network administrators face the challenge of identifying compromised devices within their infrastructure, as the attack may not generate obvious network traffic patterns that would trigger standard intrusion detection systems.
Organizations should immediately implement mitigations including firmware updates from JD Cloud, network segmentation to isolate affected devices, and monitoring for unusual network traffic patterns. The recommended approach involves verifying the current firmware versions of all affected devices and applying official patches as soon as they become available. Network administrators should also consider implementing firewall rules to restrict access to router management interfaces from untrusted networks and disable unnecessary remote management features. Additional security measures include changing default credentials, implementing network access controls, and conducting thorough network scans to identify potentially compromised devices. The vulnerability demonstrates the importance of regular firmware updates and proper network security hygiene, particularly for devices that are often overlooked in traditional security assessments.