CVE-2025-43984

An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://drive.proton.me/urls/1NRPNBE678#lFyUYIRIBZO5
https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-43984.txt
https://github.com/actuator/cve/tree/main/kuwfi
https://www.kuwfi.com/products/300mbps-industrial-router-cat4-4g-cpe-router-extender-strong-wifi-signal-suport-32wifi-users-with-sim-card-slot-95

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se detectó un problema en los dispositivos KuWFi GC111 (versión de hardware: CPE-LM321_V3.2, versión de software: GC111-GL-LM321_V3.0_20191211). Son vulnerables a solicitudes /goform/goform_set_cmd_process no autenticadas. Una solicitud POST manipulada, que utiliza el parámetro SSID, permite a atacantes remotos ejecutar comandos arbitrarios del sistema operativo con privilegios de root.

15 Aug 2025, 13:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		CWE-78

14 Aug 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-14 14:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-43984

Mitre link : CVE-2025-43984

CVE.ORG link : CVE-2025-43984

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

9.8 /10