Description
OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted TR-069 Download URL that is passed unescaped into the firmware upgrade pipeline.
Published: 2026-03-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OS command injection in the CWMP client (/ftl/bin/cwmp) of Sercomm SCE4255W firmware allows an attacker with control over the ACS endpoint to execute arbitrary shell commands as root. This flaw results in full system compromise, enabling compromise of confidentiality, integrity and availability of the device. The vulnerability is classified as CWE‑94 and carries a CVSS score of 9.8.

Affected Systems

The affected devices are Small Cell Sercomm SCE4255W units, marketed as FreedomFi Englewood. Firmware versions prior to DG3934v3@2308041842 are vulnerable. No specific CNA vendor/product identifiers were provided, but the devices are listed in the FCC report and related community advisories.

Risk and Exploitability

The flaw poses a high risk with a CVSS score of 9.8 and an EPSS likelihood of less than 1 %. It is not currently listed in the CISA KEV catalog. The exploit requires remote access to the ACS endpoint and the ability to craft a TR‑069 Download URL that is passed unescaped into the firmware upgrade pipeline. The attack vector is thus remote, and only customers exposing their ACS to untrusted networks are at immediate risk. Due to the low exploit probability, widespread exploitation has not been reported, but the severity warrants swift action.

Generated by OpenCVE AI on March 24, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to DG3934v3 or later, if a patched version is available.
  • If an update is unavailable, restrict ACS access to trusted IP ranges and enforce strong authentication for ACS communication.
  • Disable or limit the use of the TR‑069 Download URL feature if possible to prevent unescaped command injection.
  • Implement network segmentation and monitor ACS logs for anomalous download URL requests.

Generated by OpenCVE AI on March 24, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Freedomfi
Freedomfi sercomm Sce4255w
Vendors & Products Freedomfi
Freedomfi sercomm Sce4255w

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted TR-069 Download URL that is passed unescaped into the firmware upgrade pipeline.
References

Subscriptions

Freedomfi Sercomm Sce4255w
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T01:20:45.931Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67113

cve-icon Vulnrichment

Updated: 2026-03-24T01:20:39.768Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T18:16:15.600

Modified: 2026-03-24T02:16:03.647

Link: CVE-2025-67113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:42Z

Weaknesses