CVE-2025-55423

high-risk

Published 2026-01-20

A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

Do I need to act?

0.58% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

N104S-R1 Firmware

N104V Firmware

N1E Firmware

N1Plus Firmware

N1Plus-I Firmware

N1V Firmware

N2E Firmware

N2Eplus Firmware

N2Plus Firmware

N2Plus-I Firmware

N2V Firmware

N2Vs Firmware

N3 Firmware

N3-I Firmware

N5 Firmware

N5-I Firmware

N6 Firmware

N600 Firmware

N6004R Firmware

N602E Firmware

Affected Vendors

Iptime

References (4)

Third Party Advisory https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak...

Exploit https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md

Third Party Advisory https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products...

Vendor Advisory https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 33/34 · Critical