A high-severity vulnerability has been identified in multiple products from the vendor 'was', allowing a remote, unauthenticated attacker to execute arbitrary code on affected devices. Successful exploitation could lead to a complete system compromise, enabling the attacker to intercept network traffic, access sensitive data, or use the device to launch further attacks against the internal network. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.

This vulnerability is a command injection flaw within the web-based management interface of the affected devices. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request to a specific API endpoint responsible for network diagnostics. The input to this endpoint is not properly sanitized, allowing the attacker to inject and execute arbitrary operating system commands with the privileges of the web server process, which is often root on these types of devices.

This vulnerability presents a significant threat to the organization, categorized as High severity with a CVSS score of 8.8. A successful exploit grants an attacker complete control over the affected network infrastructure device. This can lead to severe business consequences, including the loss of data confidentiality through traffic sniffing, loss of integrity by altering network configurations to redirect users to malicious sites, and loss of availability by disabling network services. Compromised devices could also be used as a pivot point to attack other internal systems or be co-opted into a botnet for use in external attacks, causing reputational damage.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected devices. After patching, review system and access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of network traffic originating from the affected devices for any unusual patterns or connections to unknown external hosts. Security teams should actively monitor web server access logs for anomalous requests, specifically looking for requests containing shell metacharacters (e.g., |, &, ;, $()) directed at the device's management interface.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Restrict access to the device's web management interface to a dedicated, trusted administrative network or specific IP addresses.
• Disable remote/WAN management access entirely if it is not required for business operations.
• Place the device behind a Web Application Firewall (WAF) configured with rules to block command injection attempts.

Public Exploit Available: False

Given the high CVSS score of 8.8, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected systems. Although CVE-2025-9748 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above should be implemented as a matter of urgency to reduce the attack surface.