CVE-2025-52690
published 2025-07-16CVE-2025-52690: Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality…
PriorityP264high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
9.19%
94.7th percentile
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
| alcatel-lucent | omniaccess_stellar_products | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert udp any any -> $HOME_NET 32769 (msg:"ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690)"; flow:stateless,to_server; content:"|06|"; offset:3; depth:1; content:"|07|"; distance:6; within:1; pcre:"/^.*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,jro.sg/CVEs/CVE-2025-52690/; reference:cve,2025-52690; classtype:attempted-admin; sid:2063558; rev:1; metadata:attack_target Server, created_at 2025_07_17, cve CVE_2025_52690, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert udp any any -> $HOME_NET 32769 (msg:"ET EXPLOIT Alcatel-Lucent cluster_cor Command Injection Attempt (CVE-2025-52690)"; flow:stateless,to_server; dsize:<110; content:"|01 01 01 06 02 03 00 00 00 64 07|"; fast_pattern; startswith; pcre:"/^.*(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:url,jro.sg/CVEs/CVE-2025-52690/; reference:cve,2025-52690; classtype:web-application-attack; sid:2063532; rev:1;bytes
|01 01 01 06 02 03 00 00 00 64 07|
- →Target UDP port 32769 inbound — this is the cluster_cor service on Alcatel-Lucent AP1361D access points. All exploit traffic is UDP, stateless, to_server.
- →High-confidence rule: match packets starting with byte sequence |01 01 01 06 02 03 00 00 00 64 07| (startswith, dsize<110) followed by shell metacharacters (;, newline, backtick, pipe, $, &&) — URL-encoded variants also covered.
- →Medium-confidence rule: within the same UDP/32769 stream, look for byte |06| at offset 3 (depth 1) and byte |07| 6 bytes later, then any shell injection metacharacter (;, &, `, |, $) via PCRE.
- →Successful exploitation grants arbitrary command execution as root on the access point — treat any alert as critical/attempted-admin.
- →MITRE mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application. Deploy detection at both Perimeter and Internal network boundaries.
- ·The high-confidence Snort rule (sid:2063532) restricts dsize to <110 bytes; exploit payloads larger than 110 bytes will evade this specific signature.
- ·The medium-confidence rule (sid:2063558) uses flow:stateless — it does not track connection state, so it may produce higher false-positive rates in environments with heavy UDP/32769 traffic.
- ·The PCRE in both rules matches shell metacharacters in both raw and URL-encoded form; ensure your IDS/IPS engine supports the /R (relative) PCRE modifier for correct matching.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690)
suricata·2025-07-17·CVSS 8.1
CVE-2025-52690 [HIGH] ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690)
ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690)
Rule: alert udp any any -> $HOME_NET 32769 (msg:"ET EXPLOIT Alcatel AP1361D Command Injection in cluster_cor Service (CVE-2025-52690)"; flow:stateless,to_server; content:"|06|"; offset:3; depth:1; content:"|07|"; distance:6; within:1; pcre:"/^.*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,jro.sg/CVEs/CVE-2025-52690/; reference:cve,2025-52690; classtype:attempted-admin; sid:2063558; rev:1; metadata:attack_target Server, created_at 2025_07_17, cve CVE_2025_52690, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_
Suricata
ET EXPLOIT Alcatel-Lucent cluster_cor Command Injection Attempt (CVE-2025-52690)
suricata·2025-07-16·CVSS 8.1
CVE-2025-52690 [HIGH] ET EXPLOIT Alcatel-Lucent cluster_cor Command Injection Attempt (CVE-2025-52690)
ET EXPLOIT Alcatel-Lucent cluster_cor Command Injection Attempt (CVE-2025-52690)
Rule: alert udp any any -> $HOME_NET 32769 (msg:"ET EXPLOIT Alcatel-Lucent cluster_cor Command Injection Attempt (CVE-2025-52690)"; flow:stateless,to_server; dsize:<110; content:"|01 01 01 06 02 03 00 00 00 64 07|"; fast_pattern; startswith; pcre:"/^.*(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:url,jro.sg/CVEs/CVE-2025-52690/; reference:cve,2025-52690; classtype:web-application-attack; sid:2063532; rev:1; metadata:affected_product Alcatel_Lucent, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_16, cve CVE_2025_52690, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_sever
No public exploits indexed.
No writeups or analysis indexed.
2025-07-16
Published