CVE-2025-55423

A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

Published: Jan 20, 2026
Updated: Jan 31, 2026
CVE: CVE-2025-55423
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
iptime / n104s-r1_firmware	9.90.8	10.02.2.x
iptime / n104v_firmware	9.90.8	10.06.8.x
iptime / n1e_firmware	9.90.8	10.06.8.x
iptime / n1plus_firmware	9.90.8	10.06.8.x
iptime / n1plus-i_firmware	9.99.6	10.06.8.x
iptime / n1v_firmware	11.01.2	12.07.6.x
iptime / n2e_firmware	9.90.8	10.06.8.x
iptime / n2eplus_firmware	9.90.8	10.06.8.x
iptime / n2plus_firmware	9.90.8	10.06.8.x
iptime / n2plus-i_firmware	9.99.6	10.06.8.x
iptime / n2v_firmware	10.09.2	12.16.8.x
iptime / n2vs_firmware	12.16.8	12.16.8.x
iptime / n3_firmware	9.93.2	10.06.8.x
iptime / n3-i_firmware	9.99.6	10.06.8.x
iptime / n5_firmware	9.90.8	10.06.8.x
iptime / n5-i_firmware	9.99.6	10.06.8.x
iptime / n6_firmware	9.96.8	10.06.8.x
iptime / n600_firmware	10.00.8	12.16.2.x
iptime / n6004r_firmware	9.90.8	10.02.2.x
iptime / n602e_firmware	11.96.6	12.16.8.x
iptime / n602eplus_firmware	12.14.2	12.16.2.x
iptime / n602se_firmware	14.19.0	14.19.4.x
iptime / n604_black_firmware	9.93.8	12.16.2.x
iptime / n604a_firmware	9.90.8	10.06.8.x
iptime / n604e_firmware	10.09.2	14.19.4.x
iptime / n604eplus_firmware	12.14.2	14.19.4.x
iptime / n604plus_firmware	9.90.8	12.15.2.x
iptime / n604plus-i_firmware	9.99.6	12.14.6.x
iptime / n604r_firmware	9.90.8	10.06.8.x
iptime / n604rplus_firmware	9.90.8	10.06.8.x
iptime / n604rplus-i_firmware	9.99.6	10.06.8.x
iptime / n604s_firmware	9.90.8	10.06.8.x
iptime / n604se_firmware	14.18.4	14.19.4.x
iptime / n604t_firmware	9.90.8	10.03.2.x
iptime / n604tplus_firmware	9.90.8	10.03.2.x
iptime / n604v_firmware	9.90.8	10.06.8.x
iptime / n604vplus_firmware	9.90.8	10.06.8.x
iptime / n7004ns_firmware	9.91.2	9.91.2.x
iptime / n702bcm_firmware	9.90.8	12.16.2.x
iptime / n702e_firmware	10.09.2	12.16.2.x
iptime / ax11000_firmware	14.16.6	14.19.4.x
iptime / ax2002mesh_firmware	14.16.6	14.19.4.x
iptime / ax2004_firmware	14.17.4	14.19.4.x
iptime / ax2004bcm_firmware	12.04.2	14.19.4.x
iptime / ax2004m_firmware	14.02.0	14.19.4.x
iptime / ax3004bcm_firmware	14.16.2	14.19.4.x
iptime / ax3004itl_firmware	12.01.2	14.19.4.x
iptime / ax8004bcm_firmware	11.97.2	14.19.4.x
iptime / ax8004m_firmware	14.05.2	14.19.4.x
iptime / ax8008m_firmware	14.15.4	14.19.4.x
iptime / a1_firmware	9.96.8	10.07.4.x
iptime / a1004_firmware	9.90.8	12.16.2.x
iptime / a1004ns_firmware	9.96.0	12.16.2.x
iptime / a1004v_firmware	9.90.8	12.16.2.x
iptime / a104_firmware	9.90.8	10.03.8.x
iptime / a104ns_firmware	9.96.0	12.16.2.x
iptime / a104r_firmware	9.90.8	10.07.4.x
iptime / a2003mu_firmware	12.13.0	12.16.2.x
iptime / a2003ns-mu_firmware	10.00.6	12.16.2.x
iptime / a2004_firmware	9.90.8	10.07.4.x
iptime / a2004mu_firmware	10.08.6	12.17.0.x
iptime / a2004ns_firmware	9.90.8	11.00.4.x
iptime / a2004ns-mu_firmware	10.08.6	12.17.0.x
iptime / a2004ns-r_firmware	9.90.8	11.00.4.x
iptime / a2004nsplus_firmware	9.90.8	11.00.4.x
iptime / a2004plus_firmware	9.90.8	10.07.4.x
iptime / a2004r_firmware	9.90.8	10.07.4.x
iptime / a2004se_firmware	14.16.6	14.19.4.x
iptime / a2008_firmware	9.90.8	10.07.4.x
iptime / a3_firmware	9.97.2	10.07.2.x
iptime / a3002mesh_firmware	12.05.4	14.19.4.x
iptime / a3003ns_firmware	9.99.8	11.00.4.x
iptime / a3004_firmware	9.90.8	10.08.2.x
iptime / a3004-dual_firmware	9.90.4	10.07.2.x
iptime / a3004m_firmware	14.18.4	14.19.4.x
iptime / a3004ns_firmware	9.90.2	10.09.4.x
iptime / a3004ns-bcm_firmware	9.95.8	11.00.4.x
iptime / a3004ns-dual_firmware	9.90.4	12.09.4.x
iptime / a3004ns-m_firmware	10.05.4	14.19.4.x
iptime / a3004t_firmware	12.10.2	14.19.4.x
iptime / a3004tw_firmware	14.15.2	14.19.4.x
iptime / a3008-mu_firmware	10.08.4	14.19.4.x
iptime / a304_firmware	10.05.4	10.07.4.x
iptime / a5004ns_firmware	9.90.2	11.00.4.x
iptime / a5004ns-m_firmware	10.05.4	14.19.4.x
iptime / a6004mx_firmware	12.04.6	14.19.4.x
iptime / a6004ns_firmware	9.90.2	11.00.4.x
iptime / a6004ns-m_firmware	9.99.8	14.19.4.x
iptime / a604_firmware	9.90.8	12.06.6.x
iptime / a604-v3_firmware	10.01.6	10.07.2.x
iptime / a604-v5_firmware	10.09.2	12.16.2.x
iptime / a604g-mu_firmware	10.07.4	12.16.2.x
iptime / a604g-skylife_firmware	12.02.4	12.12.4.x
iptime / a604m_firmware	10.06.4	10.07.2.x
iptime / a604mu_firmware	12.12.4	12.16.2.x
iptime / a604r_firmware	10.09.2	12.16.2.x
iptime / a604se_firmware	14.17.2	14.19.4.x
iptime / a604v_firmware	9.90.8	10.07.4.x
iptime / a6ns-m_firmware	10.01.6	14.19.4.x
iptime / a7004m_firmware	10.06.8	14.19.4.x
iptime / a704ns-bcm_firmware	9.95.8	11.00.4.x
iptime / a7ns_firmware	9.96.0	11.00.4.x
iptime / a8004bcm_firmware	11.99.1	12.16.2.x
iptime / a8004itl_firmware	11.00.4	14.19.4.x
iptime / a8004ns-m_firmware	9.99.2	14.19.4.x
iptime / a8004t_firmware	10.06.8	14.19.4.x
iptime / a8004t-xr_firmware	11.97.2	14.19.4.x
iptime / a804ns-mu_firmware	10.06.4	12.10.2.x
iptime / a8ns-m_firmware	10.03.2	14.19.4.x
iptime / a9004m_firmware	10.05.4	14.19.4.x
iptime / a9004m-x2_firmware	11.98.2	14.19.4.x
iptime / ew302n_firmware	9.90.8	12.16.2.x
iptime / n102e_firmware	11.00.8	12.15.2.x
iptime / n102eplus_firmware	12.14.2	12.15.2.x
iptime / n102i_firmware	11.01.2	12.15.2.x
iptime / n102iplus_firmware	12.14.2	12.15.2.x
iptime / n104_black_firmware	9.93.8	10.06.8.x
iptime / n104e_firmware	10.09.4	12.15.2.x
iptime / n104eplus_firmware	12.14.2	12.15.2.x
iptime / n104k_firmware	9.90.8	10.06.8.x
iptime / n104plus_firmware	9.90.8	10.06.8.x
iptime / n104plus-i_firmware	9.99.6	10.06.8.x
iptime / n104q_firmware	9.90.8	10.06.8.x
iptime / n104q-i_firmware	9.99.6	10.06.8.x
iptime / n104r_firmware	9.90.8	10.06.8.x
iptime / n702eplus_firmware	12.12.4	12.16.2.x
iptime / n702r_firmware	10.05.8	10.06.8.x
iptime / n704-a3_firmware	9.90.8	10.06.8.x
iptime / n704bcm_firmware	9.90.8	12.16.2.x
iptime / n704e_firmware	11.98.4	12.16.2.x
iptime / n704eplus_firmware	12.14.2	12.16.2.x
iptime / n704ns_firmware	9.91.4	9.96.0.x
iptime / n704qca_firmware	10.02.4	12.16.2.x
iptime / n704v3_firmware	9.90.8	12.10.2.x
iptime / n8004r_firmware	9.90.8	10.02.2.x
iptime / n8004v_firmware	9.90.8	10.02.2.x
iptime / n804_firmware	9.91.2	9.96.8.x
iptime / n804a_firmware	9.91.2	9.96.8.x
iptime / n804a3_firmware	9.90.8	9.96.8.x
iptime / n804r_firmware	10.06.4	12.16.2.x
iptime / n804t_firmware	9.91.2	9.96.8.x
iptime / n804t3_firmware	9.90.8	9.96.8.x
iptime / n804v_firmware	9.91.2	9.96.8.x
iptime / n904_firmware	9.90.8	10.02.2.x
iptime / n904ns_firmware	9.91.4	9.96.0.x
iptime / n904plus_firmware	9.90.8	10.02.2.x
iptime / n904v_firmware	9.90.8	10.02.2.x
iptime / smart_firmware	9.90.8	9.94.2.x
iptime / q1_firmware	9.91.2	9.91.2.x
iptime / q304_firmware	9.91.2	9.91.2.x
iptime / q504_firmware	9.91.2	9.91.2.x
iptime / q604_firmware	9.91.2	9.91.2.x
iptime / t16000_firmware	9.91.2	11.03.6.x
iptime / t16000m_firmware	12.07.4	14.19.4.x
iptime / t24000_firmware	9.91.2	11.03.6.x
iptime / t24000m_firmware	12.07.4	14.19.4.x
iptime / t3004_firmware	9.90.8	12.07.6.x
iptime / t3008_firmware	9.90.8	12.09.6.x
iptime / t5004_firmware	11.96.4	14.19.4.x
iptime / t5008_firmware	11.98.2	14.19.4.x
iptime / v304_firmware	9.91.2	9.91.2.x
iptime / v504_firmware	9.90.8	12.15.2.x
iptime / v508_firmware	10.02.2	10.06.4.x

Vulnerability Database

322,732

CVE-2025-55423

Deep Security Visibility Without the Complexity