CVE-2025-13605
CRITICALShell command injection in 3onedata GW1101-1D(RS-485)-TB-P modbus gateway
Title source: cnaDescription
3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353
References (1)
Core 1
Core References
Third Party Advisory third-party-advisory
https://cert.pl/en/posts/2026/05/CVE-2025-13605
Scores
CVSS v4
9.3
EPSS
0.0020
EPSS Percentile
9.7%
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
3onedata/GW1101-1D(RS-485)-TB-P
< 3.0.59B2024080600R4353
Published
May 04, 2026
Tracked Since
May 04, 2026