CVE-2025-5459 OS Command Injection

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0...

PT-2025-26943 · Puppet · Puppet Enterprise

Name of the Vulnerable Software and Affected Versions: Puppet Enterprise versions 2018.1.8 through 2023.8.3 Puppet Enterprise version 2025.3 Description: A user with specific node group editing permissions and a specially crafted class parameter could execute commands as root on the primary host...

CVE-2025-26412

The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT commands...

CVE-2023-33869

Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands...

CVE-2023-23295

Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection via /goform/formSysCmd. An attacker an modify the sysCmd parameter in order to execute commands as root...

CVE-2022-36310

Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had NET-SNMP-EXTEND-MIB enabled on its snmpd service, enabling an attacker with SNMP write abilities to execute commands as root on the eNodeB. This issue may affect other AirVelocity and AirSpeed models...

CVE-2022-36309

Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models...

CVE-2021-45836

An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X 4.2.15-2107141517 by injecting a maliciously crafted input in the request through /tos/index.php?app/handapp...

CVE-2021-20719

RFNTPS firmware versions System01000004 and earlier, and Web01000004 and earlier allow an attacker on the same network segment to execute arbitrary OS commands with a root privilege via unspecified vectors...

CVE-2021-25310

The administration web interface on Belkin Linksys WRT160NL 1.0.04.002US20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the uilanguage POST parameter to the apply.cgi form endpoint. This occurs in doupgradepost in...

CVE-2021-45840

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X 4.2.15-2107141517 by sending specifically crafted input to /tos/index.php?app/appstartstop...

CVE-2021-45809

GlobalProtect-openconnect versions prior to 1.4.3 are affected by incorrect access control in GPService through DBUS, GUI Application. The way GlobalProtect-Openconnect is set up enables arbitrary users to execute commands as root by submitting the --script=...

CVE-2020-16204

The affected product is vulnerable due to an undocumented interface found on the device, which may allow an attacker to execute commands as root on the device on the N-Tron 702-W / 702M12-W all versions...

CVE-2018-20162

Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as root...

CVE-2025-20256

A vulnerability in the web-based management interface of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary commands as root on the underlying operating...

CVE-2025-20256

A vulnerability in the web-based management interface of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary commands as root on the underlying operating...

CVE-2025-25504

An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC In AV over IP products v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges...

CVE-2025-43595 MSP360 Backup (for Linux) insecure filesystem permissions

An insecure file system permissions vulnerability in MSP360 Backup 4.3.1.115 allows a low privileged user to execute commands with root privileges in the 'Online Backup' folder. Upgrade to MSP360 Backup 4.4 released on 2025-04-22...

PAN-OS: Authenticated Admin Command Injection Vulnerability in PAN-OS VM-Series

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deploye...

CVE-2025-29987

Dell PowerProtect Data Domain with Data Domain Operating System DD OS versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root...