CVE Catalog
CVE-2025-22906
CriticalCVSS 9.8Exploitation Probability (EPSS)
High risk2.20%
80th percentile - higher than 80% of all known CVEs
Summary
A command injection vulnerability was discovered in RE11S v1.11 via the L2TPUserName parameter at /goform/setWAN. An attacker can remotely execute arbitrary system commands.
Risk Assessment
The risk involves potential full device takeover by an unauthenticated attacker, leading to network confidentiality and integrity breaches.
Recommendation
Immediately update the RE11S firmware to the latest patched version if available. In the meantime, restrict administrative panel access to trusted IP addresses only.
Original NVD description (English source)
RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.

