cbcvebase.
CVE-2025-55423
published 2026-01-20

CVE-2025-55423: A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.33%
87.1th percentile
A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

Affected

163 ranges· showing 25
VendorProductVersion rangeFixed in
iptimea1004_firmware9.90.8 – 12.16.2
iptimea1004ns_firmware9.96.0 – 12.16.2
iptimea1004v_firmware9.90.8 – 12.16.2
iptimea104_firmware9.90.8 – 10.03.8
iptimea104ns_firmware9.96.0 – 12.16.2
iptimea104r_firmware9.90.8 – 10.07.4
iptimea1_firmware9.96.8 – 10.07.4
iptimea2003mu_firmware12.13.0 – 12.16.2
iptimea2003ns-mu_firmware10.00.6 – 12.16.2
iptimea2004_firmware9.90.8 – 10.07.4
iptimea2004mu_firmware10.08.6 – 12.17.0
iptimea2004ns-mu_firmware10.08.6 – 12.17.0
iptimea2004ns-r_firmware9.90.8 – 11.00.4
iptimea2004ns_firmware9.90.8 – 11.00.4
iptimea2004nsplus_firmware9.90.8 – 11.00.4
iptimea2004plus_firmware9.90.8 – 10.07.4
iptimea2004r_firmware9.90.8 – 10.07.4
iptimea2004se_firmware14.16.6 – 14.19.4
iptimea2008_firmware9.90.8 – 10.07.4
iptimea3002mesh_firmware12.05.4 – 14.19.4
iptimea3003ns_firmware9.99.8 – 11.00.4
iptimea3004-dual_firmware9.90.4 – 10.07.2
iptimea3004_firmware9.90.8 – 10.08.2
iptimea3004m_firmware14.18.4 – 14.19.4
iptimea3004ns-bcm_firmware9.95.8 – 11.00.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.