CVE-2025-0680
published 2025-01-30CVE-2025-0680: Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.2th percentile
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| new_rock_technologies | mx8g_voip_gateway | — | — |
| new_rock_technologies | nrp1302_p_desktop_ip_phone | — | — |
| new_rock_technologies | om500_ip-pbx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for exploitation of cloud RPC command handling on New Rock Technologies devices (OM500 IP-PBX, MX8G VoIP Gateway, NRP1302/P Desktop IP Phone); OS command injection via cloud RPC interface (CWE-78) allows unauthenticated remote code execution with no user interaction. ↗
- →Monitor Cloud MQTT service traffic for wildcard topic subscriptions (e.g., '#' or '+' wildcards) which may indicate an attacker tapping device communications to harvest sensitive information (CVE-2025-0681, related companion vulnerability). ↗
- →Block or alert on internet-facing exposure of New Rock Technologies cloud-connected devices; the vulnerability is exploitable remotely with low attack complexity and no privileges required (CVSS v3.1 9.8, AV:N/AC:L/PR:N/UI:N). ↗
- ·All firmware versions of the affected products are vulnerable; there is no patched version available as the vendor has not responded to CISA mitigation requests. Defensive measures (firewall isolation, VPN, no internet exposure) are the only available mitigations. ↗
- ·All listed product lines (OM500 IP-PBX, MX8G VoIP Gateway, NRP1302/P Desktop IP Phone) are affected across all versions — no version-based scoping is possible for detection tuning. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
New Rock Technologies Cloud Connected Devices
cisa_ics·2025-01-30·CVSS 9.3
[CRITICAL] New Rock Technologies Cloud Connected Devices
ICS Advisory
##
New Rock Technologies Cloud Connected Devices
Release DateJanuary 30, 2025
Alert CodeICSA-25-030-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: New Rock Technologies
- Equipment: Cloud Connected Devices
- Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Wildcards or Matching Symbols
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker full control of the device.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of New Rock Technologi
GHSA
GHSA-p4fv-8hx8-v8cr: Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbi
ghsa_unreviewed·2025-01-30
CVE-2025-0680 [CRITICAL] CWE-78 GHSA-p4fv-8hx8-v8cr: Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbi
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-30
Published