Westermo-25-07: CVE-2025-46418 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Severity: HIGH

Date: 2025-06-30

Description

Westermo has identified a vulnerability in WeOS 5 that potentially could be used to inject OS commands due to unsafe handling of media definitions.

Affected versions

WeOS 5: Affects WeOS 5 version 5.23 and later.
WeOS 4 is not affected.

Impact

The vulnerability described allows an attacker with administrative permissions to specify commands that would typically be inaccessible. This enables the execution of alternate commands with privileges beyond those granted to the attacker.

Severity

Category	Details
Base score	The CVSS severity base score is 7.6
Environmental	The CVSS environmental score is 6.3
Vector string	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/MAV:A/MS:U

Mitigation

We recommend the following mitigations that do not require an update:

Limit administration account access to trusted parties.
Use best practices for passwords related to administration accounts.

Updates

Currently no update is available.

References

WeOS - Westermo Operating System: Westermo
CWE - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (4.17)

Revision History

Jun 30, 2025: Initial release

	Westermo-25-08: Sensitive Information in Logging Vulnerability Details on Westermo-25-08 vulnerability concerning sensitive information exposure in logging for WeOS 5, including impact, severity, and mitigation strategies.
	Westermo WeOS 5.25.2 Release Notes: Software Updates, Bug Fixes, and Known Issues Detailed release notes for Westermo WeOS version 5.25.2, covering new features, bug fixes, known limitations, and important user information for industrial network devices. Includes information on security enhancements and CLI changes.
	Westermo Lynx RedBox Industrial Switches User Guide Comprehensive user guide for Westermo Lynx RedBox industrial switches, covering installation, specifications, safety regulations, and product features. This guide is intended for installation engineers and users of Westermo products.
	Westermo Lynx 5600 Series User Guide: Industrial Gigabit Ethernet Switch Comprehensive user guide for the Westermo Lynx 5600 Series industrial Gigabit Ethernet switch, covering installation, safety, specifications, and compliance. Learn about its features for substation automation.
	Westermo Viper-8 Series User Guide Comprehensive user guide for the Westermo Viper-8 Series, a managed Gigabit routing switch designed for railway rolling stock applications. This guide covers product description, safety information, installation, specifications, and compliance.
	Westermo Release Notes - Firmware Version 1.9.8.0 and Historical Updates Comprehensive release notes for Westermo industrial networking devices, detailing firmware updates from version 1.9.8.0 back to 1.9.0.0, including new features, enhancements, and bug fixes.
	Westermo Lynx 3000 Series User Guide: Industrial Ethernet Switch Comprehensive user guide for the Westermo Lynx 3000 Series industrial Ethernet switches. Learn about product features, specifications, installation, safety regulations, and compliance information.
	Westermo Viper-20A Series: Managed Gigabit Ethernet Switch Router for Rolling Stock Discover the Westermo Viper-20A Series, a compact and robust industrial 20-port managed Gigabit Ethernet switch router designed for demanding railway environments. Compliant with EN 50155 and other key industry standards, it offers advanced Layer 2 and Layer 3 routing, high availability, and cybersecurity features.