CVE-2025-9494

An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the /cgi-bin/vitogate.cgi endpoint is affected, when the form JSON parameter is set to form-0-2. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to popen(). Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.