CVE-2025-0680
CRITICALNew Rock Technologies OM500 IP-PBX - OS Command Injection via Cloud RPC Command Handling
Title source: manualDescription
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.
References (2)
Core 2
Core References
Various Sources
https://www.newrocktech.com/ContactUs/index.html
Third Party Advisory, US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02
Scores
CVSS v3
9.8
EPSS
0.0057
EPSS Percentile
42.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
New Rock Technologies/MX8G VoIP Gateway
All
New Rock Technologies/NRP1302/P Desktop IP Phone
All
New Rock Technologies/OM500 IP-PBX
All
Published
Jan 30, 2025
Tracked Since
Feb 18, 2026