High severity7.4NVD Advisory· Published Aug 5, 2025· Updated Apr 15, 2026

CVE-2025-43978

Description

Jointelli 5G CPE 21H01 firmware JY_21H01_A3_v1.36 devices allow (blind) OS command injection. Multiple endpoints are vulnerable, including /ubus/?flag=set_WPS_pin and /ubus/?flag=netAppStar1 and /ubus/?flag=set_wifi_cfgs. This allows an authenticated attacker to execute arbitrary OS commands with root privileges via crafted inputs to the SSID, WPS, Traceroute, and Ping fields.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/actuator/cve/blob/main/Jointelli/CVE-2025-43978.txtnvd
github.com/actuator/cve/tree/main/Jointellinvd
www.jointelli.com/cpe/5g-cpe-evo-4.htmlnvd
www.jointelli.com/product/25H01nvd

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000