1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: New Rock Technologies
- Equipment: Cloud Connected Devices
- Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Improper Neutralization of Wildcards or Matching Symbols
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker full control of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of New Rock Technologies Cloud Connected Devices are affected:
- OM500 IP-PBX: All versions
- MX8G VoIP Gateway: All versions
- NRP1302/P Desktop IP Phone: All versions
3.2 Vulnerability Overview
3.2.1 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) CWE-78
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.
CVE-2025-0680 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-0680. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).