A critical vulnerability, identified as CVE-2025-64090, has been discovered in multiple products, carrying the highest possible CVSS score of 10. This flaw allows an attacker who has already gained access to an affected device to execute arbitrary commands with elevated privileges, potentially leading to a complete system compromise.

This vulnerability is a command injection flaw that can be triggered through the device's hostname parameter. An authenticated attacker with privileges to change the device hostname can embed malicious commands within the hostname string (e.g., my-device;reboot). When a system process or script reads and executes this hostname value without proper input sanitization, the embedded commands are executed on the underlying operating system, likely with high privileges.

This vulnerability is rated as critical severity with a CVSS score of 10. Successful exploitation could result in a complete takeover of the affected device. Potential consequences include unauthorized data access and exfiltration, installation of persistent backdoors or ransomware, and the ability to use the compromised system as a pivot point for further attacks within the network. The requirement for prior authentication is the only limiting factor, but if an attacker obtains credentials through other means (e.g., phishing, weak passwords), the impact is catastrophic.

Immediate Action: Immediately update all affected products to the latest version as recommended by the vendor. Prioritize patching on internet-facing and critical internal systems. After patching, continue to monitor for any signs of exploitation and review historical access logs for unauthorized changes to device hostnames.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Specifically, look for unusual or malformed hostnames in configuration logs, audit logs, and network management tools. Monitor for unexpected process execution, particularly from services that interact with system configuration settings. Alert on any suspicious outbound network traffic from affected devices.

Compensating Controls: If patching cannot be immediately applied, implement the following controls:

• Strictly limit and audit administrative access to the functionality that allows changing the device hostname.
• If possible, use a Web Application Firewall (WAF) or similar security tool to enforce a strict character set for hostnames, blocking special characters like ;, |, &, and $.
• Deploy Endpoint Detection and Response (EDR) agents to detect and block anomalous command execution on the devices.

Public Exploit Available: false

Given the critical CVSS score of 10, this vulnerability represents a severe risk to the organization and must be addressed with the highest urgency. All system owners must prioritize the immediate application of vendor-supplied patches to all affected assets. Although this CVE is not currently listed in the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. Organizations should assume it will be actively exploited and act decisively to mitigate the risk.