CRITICAL🇵🇱 Wersja polska

CVE-2025-28236

CVSS 9.8v3.1pub. 2025-04-18upd. 2026-04-15

Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package to the /#/software/upgrades endpoint.

🤖 AI Analysis
How it works

The vulnerability concerns the firmware update mechanism and is classified as CWE-494 (Download of Code Without Integrity Check). An attacker can upload a malicious update package to the /#/software/upgrades endpoint without needing any privileges. The device does not sufficiently verify the integrity or authenticity of the provided package, resulting in the execution of malicious code contained within it at the system level.

Impact

An attacker gains the ability to execute arbitrary code on the device, which can lead to complete takeover of the transmitter, violation of data confidentiality and integrity, and disruption or complete shutdown of its operation.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until the update is applied, it is recommended to restrict network access to the device management interface (web panel) exclusively to trusted hosts and to implement network segmentation or a firewall blocking unauthorized access to the /#/software/upgrades endpoint.

Who is affected

Nautel VX Series transmitters with VX SW software version 6.4.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References