CVE-2025-43989

Published: Aug 13, 2025

Modified: Aug 13, 2025

PUBLISHED

Description

The /goform/formJsonAjaxReq POST endpoint of Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices mishandles the set_timesetting action with the ntpserver0 parameter, which is used in a system command. By setting a username=admin cookie (bypassing normal session checks), an unauthenticated attacker can use that parameter to execute arbitrary OS commands.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/actuator/cve/tree/main/Tuoshi

https://drive.proton.me/urls/H7J1DPNA00#XrmRLENzyZAp

https://drive.proton.me/urls/QDVK6E2SBR#8LlpbHWzHdmr

https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2025-43989.txt

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-43989

Description

Affected Products

References