CVE-2025-8480

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-8480
Alpine iLX-507 Command Injection Remote Code Execution. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Tidal music streaming application. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26357.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zerodayinitiative.com/advisories/ZDI-25-766/ Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:alpine-usa:ilx-507_firmware:6.0.000:*:*:*:*:*:*:*
cpe:2.3:h:alpine-usa:ilx-507:-:*:*:*:*:*:*:*
History

05 Aug 2025, 18:42

Type Values Removed Values Added
First Time Alpine-usa
Alpine-usa ilx-507
Alpine-usa ilx-507 Firmware
CPE cpe:2.3:o:alpine-usa:ilx-507_firmware:6.0.000:*:*:*:*:*:*:*
cpe:2.3:h:alpine-usa:ilx-507:-:*:*:*:*:*:*:*
References () https://www.zerodayinitiative.com/advisories/ZDI-25-766/ - () https://www.zerodayinitiative.com/advisories/ZDI-25-766/ - Third Party Advisory

04 Aug 2025, 15:06

Type Values Removed Values Added
Summary
  • (es) Ejecución remota de código mediante inyección de comandos en Alpine iLX-507. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar código arbitrario en las instalaciones afectadas de los dispositivos Alpine iLX-507. No se requiere autenticación para explotar esta vulnerabilidad. La falla específica existe en la aplicación de streaming de música Tidal. El problema se debe a la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del dispositivo. Anteriormente, se denominó ZDI-CAN-26357.

01 Aug 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-01 18:15

Updated : 2025-08-05 18:42

NVD link : CVE-2025-8480

Mitre link : CVE-2025-8480

CVE.ORG link : CVE-2025-8480

JSON object : View

Products Affected

alpine-usa

  • ilx-507_firmware
  • ilx-507
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')