Description
An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.
Published: 2025-07-10
Score: 7.5 High
EPSS: 50.8% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a command injection flaw (CWE-78) in the lan traceroute command of the Polycom HDX Series telnet shell. Unsanitized input lets an attacker inject shell metacharacters, allowing arbitrary executable commands to be run with root privileges. The flaw can be triggered through the devcmds console accessible over Telnet, giving remote code execution as root.

Affected Systems

Affected systems are Polycom HDX Series devices that have Telnet enabled. The vulnerability manifests when the lan traceroute command is used; it affects all firmware releases of the HDX Series for which the command is present. No specific version range is listed in the CNA data, so any device with Telnet service and the devcmds console is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk of impact, while the EPSS score of 51% suggests a moderate‑high likelihood that attackers may target affected systems. The vulnerability is not yet in the CISA KEV catalog, but its exploitability via authenticated or known‑credential Telnet sessions makes it a serious threat. Attackers need the ability to connect over Telnet and either have valid credentials or the device must allow unauthenticated access to exploit the flaw.

Generated by OpenCVE AI on April 28, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the Polycom HDX Series hotfix or firmware update that resolves the lan traceroute command injection flaw.
  • Disable Telnet service on the device or restrict it to local or secured network access to prevent external exploitation.
  • Enforce strong authentication and limit user privileges for Telnet access; consider disabling the devcmds console if it is not required.
  • Monitor system logs for unexpected traceroute commands or anomalous command shell activity.

Generated by OpenCVE AI on April 28, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21033 An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.
History

Fri, 21 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Polycom
Polycom hdx
CPEs cpe:2.3:a:polycom:hdx:*:*:*:*:*:*:*:*
Vendors & Products Polycom
Polycom hdx

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00525}

 epss

{'score': 0.0074}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00525}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.
Title Polycom HDX Series Telnet Command Injection via lan traceroute
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Polycom Hdx
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:24.426Z

Reserved: 2025-04-15T19:15:22.551Z

Link: CVE-2025-34093

cve-icon Vulnrichment

Updated: 2025-07-10T20:26:54.104Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:24.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses