CVE-2025-43978

Published: Aug 5, 2025

Modified: Aug 5, 2025

PUBLISHED

Description

Jointelli 5G CPE 21H01 firmware JY_21H01_A3_v1.36 devices allow (blind) OS command injection. Multiple endpoints are vulnerable, including /ubus/?flag=set_WPS_pin and /ubus/?flag=netAppStar1 and /ubus/?flag=set_wifi_cfgs. This allows an authenticated attacker to execute arbitrary OS commands with root privileges via crafted inputs to the SSID, WPS, Traceroute, and Ping fields.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.jointelli.com/cpe/5g-cpe-evo-4.html

https://github.com/actuator/cve/tree/main/Jointelli

https://www.jointelli.com/product/25H01

https://github.com/actuator/cve/blob/main/Jointelli/CVE-2025-43978.txt

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-43978

Description

Affected Products

References