CVE-2025-3499
Unknown · Unknown
Unauthenticated REST APIs on management network ports 8084 and 8086 are vulnerable to OS command injection, allowing arbitrary code execution.
Executive summary
Critical OS command injection vulnerabilities in device REST APIs expose the management network to remote code execution by unauthenticated attackers.
Vulnerability
The device exposes unauthenticated REST APIs on TCP ports 8084 and 8086, which are susceptible to OS command injection, allowing an attacker to execute arbitrary commands on the underlying system.
Business impact
With a CVSS score of 10.0, this vulnerability represents the highest level of risk, allowing full system compromise and potential lateral movement across the management network. Successful exploitation could result in total loss of confidentiality, integrity, and availability for the affected hardware.
Remediation
Immediate Action: Identify the affected hardware and apply the vendor-provided firmware update immediately to secure the REST API endpoints.
Proactive Monitoring: Monitor management network traffic for anomalous requests to ports 8084 and 8086 and review system logs for unauthorized command execution patterns.
Compensating Controls: Restrict access to the management network via VLAN isolation or firewall rules to ensure that only authorized administrative workstations can communicate with these ports.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This critical vulnerability requires immediate attention due to the ease of access via unauthenticated APIs. Administrators must isolate the management network and apply the necessary security patches as soon as they are made available by the vendor.