CVE-2025-41378

Vulnerability

Overview

The SSID field in the web panel of the Iridium Certus 700 (version 1.0.1) is not properly parsed, leading to a command injection vulnerability. An attacker can inject arbitrary commands into the hostpad.conf file by crafting a malicious SSID value. This issue is classified as CWE-20 (Improper Input Validation) and has a CVSS v4.0 base score of 6.9 (Medium severity) [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the web panel and be on the local network (AV:A, PR:L). The injected commands are executed in the context of the hostpad configuration parsing process. The web panel's log filtering function may obscure the injected data, but the commands themselves are still executed [1].

Impact

Successful exploitation allows an attacker to extend their knowledge of the system and potentially compromise other devices connected to the same network. The attacker gains high confidentiality impact (VC:H) as they can read sensitive system information, but there is no direct integrity or availability impact on the device itself [1].

Mitigation

The vendor, Intellian Technologies, has resolved this vulnerability in the Q2 2025 firmware update. Users are advised to apply the latest firmware to remediate the issue [1].