CVE-2025-52688
published 2025-07-16CVE-2025-52688: Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
22.54%
97.4th percentile
Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/echo.fcgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/echo.fcgi"; fast_pattern; startswith; http.request_body; content:"|22|username|22 3a|"; pcre:"/^\s*\x22[^\x22]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,jro.sg/CVEs/CVE-2025-52688/; reference:cve,2025-52688; classtype:web-application-attack; sid:2063555; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_07_17, cve CVE_2025_52688, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|username|22 3a|
- →Exploit targets HTTP POST requests to /echo.fcgi on the Alcatel AP1361D web login interface; monitor for POST method combined with this URI path.
- →Injection payload is embedded in the JSON 'username' field of the request body; look for shell metacharacters (;, $, ', `, |) or their URL-encoded equivalents (%3b, %24, %27, %60, %7c) immediately following the username value.
- →Rule is tagged for both Perimeter and Internal deployment, indicating the attack surface includes externally exposed and internally accessible AP management interfaces; TLS decryption (tls_state TLSDecrypt) is required for full detection coverage.
- →Successful exploitation grants root-level command execution on the access point; post-exploitation indicators should include unexpected outbound connections or new processes spawned from the web server process. ↗
- ·TLS decryption must be enabled on the monitoring sensor for the Snort/Suricata rule (sid:2063555) to fire on encrypted HTTPS traffic to the AP management interface.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688)
suricata·2025-07-17·CVSS 9.8
CVE-2025-52688 [CRITICAL] ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688)
ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Alcatel AP1361D Command Injection in Web Login (CVE-2025-52688)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/echo.fcgi"; fast_pattern; startswith; http.request_body; content:"|22|username|22 3a|"; pcre:"/^\s*\x22[^\x22]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,jro.sg/CVEs/CVE-2025-52688/; reference:cve,2025-52688; classtype:web-application-attack; sid:2063555; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_07_17, cve CVE_2025_52688, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2
No public exploits indexed.
2025-07-16
Published