CVE-2025-55423

CRITICAL EPSS 87.1%
Published Jan 20, 20265mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Jan 20, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
87.1% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 327

VendorProductVersionRange
iptimen104s-r1_firmware*≥9.90.8  –  ≤10.02.2
iptimen104s-r1*any
iptimen104v_firmware*≥9.90.8  –  ≤10.06.8
iptimen104v*any
iptimen1e_firmware*≥9.90.8  –  ≤10.06.8
iptimen1e*any
iptimen1plus_firmware*≥9.90.8  –  ≤10.06.8
iptimen1plus*any
iptimen1plus-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen1plus-i*any
iptimen1v_firmware*≥11.01.2  –  ≤12.07.6
iptimen1v*any
iptimen2e_firmware*≥9.90.8  –  ≤10.06.8
iptimen2e*any
iptimen2eplus_firmware*≥9.90.8  –  ≤10.06.8
iptimen2eplus*any
iptimen2plus_firmware*≥9.90.8  –  ≤10.06.8
iptimen2plus*any
iptimen2plus-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen2plus-i*any
iptimen2v_firmware*≥10.09.2  –  ≤12.16.8
iptimen2v*any
iptimen2vs_firmware12.16.8any
iptimen2vs*any
iptimen3_firmware*≥9.93.2  –  ≤10.06.8
iptimen3*any
iptimen3-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen3-i*any
iptimen5_firmware*≥9.90.8  –  ≤10.06.8
iptimen5*any
iptimen5-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen5-i*any
iptimen6_firmware*≥9.96.8  –  ≤10.06.8
iptimen6*any
iptimen600_firmware*≥10.00.8  –  ≤12.16.2
iptimen600*any
iptimen6004r_firmware*≥9.90.8  –  ≤10.02.2
iptimen6004r*any
iptimen602e_firmware*≥11.96.6  –  ≤12.16.8
iptimen602e*any
iptimen602eplus_firmware*≥12.14.2  –  ≤12.16.2
iptimen602eplus*any
iptimen602se_firmware*≥14.19.0  –  ≤14.19.4
iptimen602se*any
iptimen604_black_firmware*≥9.93.8  –  ≤12.16.2
iptimen604_black*any
iptimen604a_firmware*≥9.90.8  –  ≤10.06.8
iptimen604a*any
iptimen604e_firmware*≥10.09.2  –  ≤14.19.4
iptimen604e*any
iptimen604eplus_firmware*≥12.14.2  –  ≤14.19.4
iptimen604eplus*any
iptimen604plus_firmware*≥9.90.8  –  ≤12.15.2
iptimen604plus*any
iptimen604plus-i_firmware*≥9.99.6  –  ≤12.14.6
iptimen604plus-i*any
iptimen604r_firmware*≥9.90.8  –  ≤10.06.8
iptimen604r*any
iptimen604rplus_firmware*≥9.90.8  –  ≤10.06.8
iptimen604rplus*any
iptimen604rplus-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen604rplus-i*any
iptimen604s_firmware*≥9.90.8  –  ≤10.06.8
iptimen604s*any
iptimen604se_firmware*≥14.18.4  –  ≤14.19.4
iptimen604se*any
iptimen604t_firmware*≥9.90.8  –  ≤10.03.2
iptimen604t*any
iptimen604tplus_firmware*≥9.90.8  –  ≤10.03.2
iptimen604tplus*any
iptimen604v_firmware*≥9.90.8  –  ≤10.06.8
iptimen604v*any
iptimen604vplus_firmware*≥9.90.8  –  ≤10.06.8
iptimen604vplus*any
iptimen7004ns_firmware9.91.2any
iptimen7004ns*any
iptimen702bcm_firmware*≥9.90.8  –  ≤12.16.2
iptimen702bcm*any
iptimen702e_firmware*≥10.09.2  –  ≤12.16.2
iptimen702e*any
iptimeax11000_firmware*≥14.16.6  –  ≤14.19.4
iptimeax11000*any
iptimeax2002mesh_firmware*≥14.16.6  –  ≤14.19.4
iptimeax2002mesh*any
iptimeax2004_firmware*≥14.17.4  –  ≤14.19.4
iptimeax2004*any
iptimeax2004bcm_firmware*≥12.04.2  –  ≤14.19.4
iptimeax2004bcm*any
iptimeax2004m_firmware*≥14.02.0  –  ≤14.19.4
iptimeax2004m*any
iptimeax3004bcm_firmware*≥14.16.2  –  ≤14.19.4
iptimeax3004bcm*any
iptimeax3004itl_firmware*≥12.01.2  –  ≤14.19.4
iptimeax3004itl*any
iptimeax8004bcm_firmware*≥11.97.2  –  ≤14.19.4
iptimeax8004bcm*any
iptimeax8004m_firmware*≥14.05.2  –  ≤14.19.4
iptimeax8004m*any
iptimeax8008m_firmware*≥14.15.4  –  ≤14.19.4
iptimeax8008m*any
iptimea1_firmware*≥9.96.8  –  ≤10.07.4
iptimea1*any
iptimea1004_firmware*≥9.90.8  –  ≤12.16.2
iptimea1004*any
iptimea1004ns_firmware*≥9.96.0  –  ≤12.16.2
iptimea1004ns*any
iptimea1004v_firmware*≥9.90.8  –  ≤12.16.2
iptimea1004v*any
iptimea104_firmware*≥9.90.8  –  ≤10.03.8
iptimea104*any
iptimea104ns_firmware*≥9.96.0  –  ≤12.16.2
iptimea104ns*any
iptimea104r_firmware*≥9.90.8  –  ≤10.07.4
iptimea104r_firmware*any
iptimea104r*any
iptimea2003mu_firmware*≥12.13.0  –  ≤12.16.2
iptimea2003mu*any
iptimea2003ns-mu_firmware*≥10.00.6  –  ≤12.16.2
iptimea2003ns-mu*any
iptimea2004_firmware*≥9.90.8  –  ≤10.07.4
iptimea2004*any
iptimea2004mu_firmware*≥10.08.6  –  ≤12.17.0
iptimea2004mu*any
iptimea2004ns_firmware*≥9.90.8  –  ≤11.00.4
iptimea2004ns*any
iptimea2004ns-mu_firmware*≥10.08.6  –  ≤12.17.0
iptimea2004ns-mu*any
iptimea2004ns-r_firmware*≥9.90.8  –  ≤11.00.4
iptimea2004ns-r*any
iptimea2004nsplus_firmware*≥9.90.8  –  ≤11.00.4
iptimea2004nsplus*any
iptimea2004plus_firmware*≥9.90.8  –  ≤10.07.4
iptimea2004plus*any
iptimea2004r_firmware*≥9.90.8  –  ≤10.07.4
iptimea2004r*any
iptimea2004se_firmware*≥14.16.6  –  ≤14.19.4
iptimea2004se*any
iptimea2008_firmware*≥9.90.8  –  ≤10.07.4
iptimea2008*any
iptimea3_firmware*≥9.97.2  –  ≤10.07.2
iptimea3*any
iptimea3002mesh_firmware*≥12.05.4  –  ≤14.19.4
iptimea3002mesh*any
iptimea3003ns_firmware*≥9.99.8  –  ≤11.00.4
iptimea3003ns*any
iptimea3004_firmware*≥9.90.8  –  ≤10.08.2
iptimea3004*any
iptimea3004-dual_firmware*≥9.90.4  –  ≤10.07.2
iptimea3004-dual*any
iptimea3004m_firmware*≥14.18.4  –  ≤14.19.4
iptimea3004m*any
iptimea3004ns_firmware*≥9.90.2  –  ≤10.09.4
iptimea3004ns*any
iptimea3004ns-bcm_firmware*≥9.95.8  –  ≤11.00.4
iptimea3004ns-bcm*any
iptimea3004ns-dual_firmware*≥9.90.4  –  ≤12.09.4
iptimea3004ns-dual*any
iptimea3004ns-m_firmware*≥10.05.4  –  ≤14.19.4
iptimea3004ns-m*any
iptimea3004t_firmware*≥12.10.2  –  ≤14.19.4
iptimea3004t*any
iptimea3004tw_firmware*≥14.15.2  –  ≤14.19.4
iptimea3004tw*any
iptimea3008-mu_firmware*≥10.08.4  –  ≤14.19.4
iptimea3008-mu*any
iptimea304_firmware*≥10.05.4  –  ≤10.07.4
iptimea304*any
iptimea5004ns_firmware*≥9.90.2  –  ≤11.00.4
iptimea5004ns*any
iptimea5004ns-m_firmware*≥10.05.4  –  ≤14.19.4
iptimea5004ns-m*any
iptimea6004mx_firmware*≥12.04.6  –  ≤14.19.4
iptimea6004mx*any
iptimea6004ns_firmware*≥9.90.2  –  ≤11.00.4
iptimea6004ns*any
iptimea6004ns-m_firmware*≥9.99.8  –  ≤14.19.4
iptimea6004ns-m*any
iptimea604_firmware*≥9.90.8  –  ≤12.06.6
iptimea604*any
iptimea604-v3_firmware*≥10.01.6  –  ≤10.07.2
iptimea604-v3*any
iptimea604-v5_firmware*≥10.09.2  –  ≤12.16.2
iptimea604-v5*any
iptimea604g-mu_firmware*≥10.07.4  –  ≤12.16.2
iptimea604g-mu*any
iptimea604g-skylife_firmware*≥12.02.4  –  ≤12.12.4
iptimea604g-skylife*any
iptimea604m_firmware*≥10.06.4  –  ≤10.07.2
iptimea604m*any
iptimea604mu_firmware*≥12.12.4  –  ≤12.16.2
iptimea604mu*any
iptimea604r_firmware*≥10.09.2  –  ≤12.16.2
iptimea604r*any
iptimea604se_firmware*≥14.17.2  –  ≤14.19.4
iptimea604se*any
iptimea604v_firmware*≥9.90.8  –  ≤10.07.4
iptimea604v*any
iptimea6ns-m_firmware*≥10.01.6  –  ≤14.19.4
iptimea6ns-m*any
iptimea7004m_firmware*≥10.06.8  –  ≤14.19.4
iptimea7004m*any
iptimea704ns-bcm_firmware*≥9.95.8  –  ≤11.00.4
iptimea704ns-bcm*any
iptimea7ns_firmware*≥9.96.0  –  ≤11.00.4
iptimea7ns*any
iptimea8004bcm_firmware*≥11.99.1  –  ≤12.16.2
iptimea8004bcm*any
iptimea8004itl_firmware*≥11.00.4  –  ≤14.19.4
iptimea8004itl*any
iptimea8004ns-m_firmware*≥9.99.2  –  ≤14.19.4
iptimea8004ns-m*any
iptimea8004t_firmware*≥10.06.8  –  ≤14.19.4
iptimea8004t*any
iptimea8004t-xr_firmware*≥11.97.2  –  ≤14.19.4
iptimea8004t-xr*any
iptimea804ns-mu_firmware*≥10.06.4  –  ≤12.10.2
iptimea804ns-mu*any
iptimea8ns-m_firmware*≥10.03.2  –  ≤14.19.4
iptimea8ns-m*any
iptimea9004m_firmware*≥10.05.4  –  ≤14.19.4
iptimea9004m*any
iptimea9004m-x2_firmware*≥11.98.2  –  ≤14.19.4
iptimea9004m-x2*any
iptimeew302n_firmware*≥9.90.8  –  ≤12.16.2
iptimeew302n*any
iptimen102e_firmware*≥11.00.8  –  ≤12.15.2
iptimen102e*any
iptimen102eplus_firmware*≥12.14.2  –  ≤12.15.2
iptimen102eplus*any
iptimen102i_firmware*≥11.01.2  –  ≤12.15.2
iptimen102i*any
iptimen102iplus_firmware*≥12.14.2  –  ≤12.15.2
iptimen102iplus*any
iptimen104_black_firmware*≥9.93.8  –  ≤10.06.8
iptimen104_black*any
iptimen104e_firmware*≥10.09.4  –  ≤12.15.2
iptimen104e*any
iptimen104eplus_firmware*≥12.14.2  –  ≤12.15.2
iptimen104eplus*any
iptimen104k_firmware*≥9.90.8  –  ≤10.06.8
iptimen104k*any
iptimen104plus_firmware*≥9.90.8  –  ≤10.06.8
iptimen104plus*any
iptimen104plus-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen104plus-i*any
iptimen104q_firmware*≥9.90.8  –  ≤10.06.8
iptimen104q*any
iptimen104q-i_firmware*≥9.99.6  –  ≤10.06.8
iptimen104q-i*any
iptimen104r_firmware*≥9.90.8  –  ≤10.06.8
iptimen104r*any
iptimen702eplus_firmware*≥12.12.4  –  ≤12.16.2
iptimen702eplus*any
iptimen702r_firmware*≥10.05.8  –  ≤10.06.8
iptimen702r*any
iptimen704-a3_firmware*≥9.90.8  –  ≤10.06.8
iptimen704-a3*any
iptimen704bcm_firmware*≥9.90.8  –  ≤12.16.2
iptimen704bcm*any
iptimen704e_firmware*≥11.98.4  –  ≤12.16.2
iptimen704e*any
iptimen704eplus_firmware*≥12.14.2  –  ≤12.16.2
iptimen704eplus*any
iptimen704ns_firmware*≥9.91.4  –  ≤9.96.0
iptimen704ns*any
iptimen704qca_firmware*≥10.02.4  –  ≤12.16.2
iptimen704qca*any
iptimen704v3_firmware*≥9.90.8  –  ≤12.10.2
iptimen704v3*any
iptimen8004r_firmware*≥9.90.8  –  ≤10.02.2
iptimen8004r*any
iptimen8004v_firmware*≥9.90.8  –  ≤10.02.2
iptimen8004v*any
iptimen804_firmware*≥9.91.2  –  ≤9.96.8
iptimen804*any
iptimen804a_firmware*≥9.91.2  –  ≤9.96.8
iptimen804a*any
iptimen804a3_firmware*≥9.90.8  –  ≤9.96.8
iptimen804a3*any
iptimen804r_firmware*≥10.06.4  –  ≤12.16.2
iptimen804r*any
iptimen804t_firmware*≥9.91.2  –  ≤9.96.8
iptimen804t*any
iptimen804t3_firmware*≥9.90.8  –  ≤9.96.8
iptimen804t3*any
iptimen804v_firmware*≥9.91.2  –  ≤9.96.8
iptimen804v*any
iptimen904_firmware*≥9.90.8  –  ≤10.02.2
iptimen904*any
iptimen904ns_firmware*≥9.91.4  –  ≤9.96.0
iptimen904ns*any
iptimen904plus_firmware*≥9.90.8  –  ≤10.02.2
iptimen904plus*any
iptimen904v_firmware*≥9.90.8  –  ≤10.02.2
iptimen904v*any
iptimesmart_firmware*≥9.90.8  –  ≤9.94.2
iptimesmart*any
iptimeq1_firmware9.91.2any
iptimeq1*any
iptimeq304_firmware9.91.2any
iptimeq304*any
iptimeq504_firmware9.91.2any
iptimeq504*any
iptimeq604_firmware9.91.2any
iptimeq604*any
iptimet16000_firmware*≥9.91.2  –  ≤11.03.6
iptimet16000*any
iptimet16000m_firmware*≥12.07.4  –  ≤14.19.4
iptimet16000m*any
iptimet24000_firmware*≥9.91.2  –  ≤11.03.6
iptimet24000*any
iptimet24000m_firmware*≥12.07.4  –  ≤14.19.4
iptimet24000m*any
iptimet3004_firmware*≥9.90.8  –  ≤12.07.6
iptimet3004*any
iptimet3008_firmware*≥9.90.8  –  ≤12.09.6
iptimet3008*any
iptimet5004_firmware*≥11.96.4  –  ≤14.19.4
iptimet5004*any
iptimet5008_firmware*≥11.98.2  –  ≤14.19.4
iptimet5008*any
iptimev304_firmware9.91.2any
iptimev304*any
iptimev504_firmware*≥9.90.8  –  ≤12.15.2
iptimev504*any
iptimev508_firmware*≥10.02.2  –  ≤10.06.4
iptimev508*any

References 4

  • docs.google.com https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing
    Third Party Advisory
  • github.com https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md
    ExploitThird Party Advisory
  • github.com https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json
    Third Party Advisory
  • iptime.com https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.