cbcvebase.
CVE-2025-0680
published 2025-01-30

CVE-2025-0680: Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.2th percentile
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.

Affected

3 ranges
VendorProductVersion rangeFixed in
new_rock_technologiesmx8g_voip_gateway
new_rock_technologiesnrp1302_p_desktop_ip_phone
new_rock_technologiesom500_ip-pbx

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for exploitation of cloud RPC command handling on New Rock Technologies devices (OM500 IP-PBX, MX8G VoIP Gateway, NRP1302/P Desktop IP Phone); OS command injection via cloud RPC interface (CWE-78) allows unauthenticated remote code execution with no user interaction.
  • Monitor Cloud MQTT service traffic for wildcard topic subscriptions (e.g., '#' or '+' wildcards) which may indicate an attacker tapping device communications to harvest sensitive information (CVE-2025-0681, related companion vulnerability).
  • Block or alert on internet-facing exposure of New Rock Technologies cloud-connected devices; the vulnerability is exploitable remotely with low attack complexity and no privileges required (CVSS v3.1 9.8, AV:N/AC:L/PR:N/UI:N).
  • ·All firmware versions of the affected products are vulnerable; there is no patched version available as the vendor has not responded to CISA mitigation requests. Defensive measures (firewall isolation, VPN, no internet exposure) are the only available mitigations.
  • ·All listed product lines (OM500 IP-PBX, MX8G VoIP Gateway, NRP1302/P Desktop IP Phone) are affected across all versions — no version-based scoping is possible for detection tuning.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.