CVE-2025-6103
published 2025-06-16CVE-2025-6103: A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506. Affected by this issue is some unknown…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.50%
82.7th percentile
A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506. Affected by this issue is some unknown functionality of the file /billing/test_accesscodelogin.php. The manipulation of the argument Password leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trpc | server | >= 11.0.0 < 11.1.1 | 11.1.1 |
| wifi-soft | unibox_controller | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p533-wc7f-4jvp: A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506
ghsa_unreviewed·2025-06-16
CVE-2025-6103 [HIGH] CWE-77 GHSA-p533-wc7f-4jvp: A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506
A vulnerability, which was classified as critical, has been found in Wifi-soft UniBox Controller up to 20250506. Affected by this issue is some unknown functionality of the file /billing/test_accesscodelogin.php. The manipulation of the argument Password leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
GHSA
tRPC 11 WebSocket DoS Vulnerability
ghsa·2025-04-24
CVE-2025-43855 [HIGH] CWE-248 tRPC 11 WebSocket DoS Vulnerability
tRPC 11 WebSocket DoS Vulnerability
### Summary
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
### Details
Any tRPC 11 server with WebSocket enabled with a `createContext` method set is vulnerable. Here is an example:
https://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05
I have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction
The connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:
https://github.co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-16
Published