CVE-2025-32455 - Vulnerability Details

The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00133.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ON Semiconductor

Quantenna Wi-Fi chipset

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.0.0.28

Configuration 1 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-s5_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-s5:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-a12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-a12:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-t12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-t12:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-t8:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:onsemi:qd840_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qd840:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:onsemi:qhs710_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qhs710:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:onsemi:qsr10ga_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qsr10ga:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:onsemi:qsr10gu_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qsr10gu:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:onsemi:qv840_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv840:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:onsemi:qv840c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv840c:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:onsemi:qv860_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv860:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:onsemi:qv940_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv940:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:onsemi:qv942c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv942c:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:onsemi:qv952c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv952c:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-s5_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-s5:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-a12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-a12:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-t12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-t12:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-t8:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Onsemi Subscribe	Qcs-ax2-a12 Subscribe Qcs-ax2-a12 Firmware Subscribe Qcs-ax2-s5 Subscribe Qcs-ax2-s5 Firmware Subscribe Qcs-ax2-t12 Subscribe Qcs-ax2-t12 Firmware Subscribe Qcs-ax2-t8 Subscribe Qcs-ax2-t8 Firmware Subscribe Qcs-ax3-a12 Subscribe Qcs-ax3-a12 Firmware Subscribe Qcs-ax3-s5 Subscribe Qcs-ax3-s5 Firmware Subscribe Qcs-ax3-t12 Subscribe Qcs-ax3-t12 Firmware Subscribe Qcs-ax3-t8 Subscribe Qcs-ax3-t8 Firmware Subscribe Qd840 Subscribe Qd840 Firmware Subscribe Qhs710 Subscribe Qhs710 Firmware Subscribe Qsr10ga Subscribe Qsr10ga Firmware Subscribe Qsr10gu Subscribe Qsr10gu Firmware Subscribe Qv840 Subscribe Qv840 Firmware Subscribe Qv840c Subscribe Qv840c Firmware Subscribe Qv860 Subscribe Qv860 Firmware Subscribe Qv940 Subscribe Qv940 Firmware Subscribe Qv942c Subscribe Qv942c Firmware Subscribe Qv952c Subscribe Qv952c Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2025-17409	The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices
https://takeonme.org/cves/cve-2025-3460

History

Tue, 13 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Onsemi Onsemi qcs-ax2-a12 Onsemi qcs-ax2-a12 Firmware Onsemi qcs-ax2-s5 Onsemi qcs-ax2-s5 Firmware Onsemi qcs-ax2-t12 Onsemi qcs-ax2-t12 Firmware Onsemi qcs-ax2-t8 Onsemi qcs-ax2-t8 Firmware Onsemi qcs-ax3-a12 Onsemi qcs-ax3-a12 Firmware Onsemi qcs-ax3-s5 Onsemi qcs-ax3-s5 Firmware Onsemi qcs-ax3-t12 Onsemi qcs-ax3-t12 Firmware Onsemi qcs-ax3-t8 Onsemi qcs-ax3-t8 Firmware Onsemi qd840 Onsemi qd840 Firmware Onsemi qhs710 Onsemi qhs710 Firmware Onsemi qsr10ga Onsemi qsr10ga Firmware Onsemi qsr10gu Onsemi qsr10gu Firmware Onsemi qv840 Onsemi qv840 Firmware Onsemi qv840c Onsemi qv840c Firmware Onsemi qv860 Onsemi qv860 Firmware Onsemi qv940 Onsemi qv940 Firmware Onsemi qv942c Onsemi qv942c Firmware Onsemi qv952c Onsemi qv952c Firmware
CPEs		cpe:2.3:h:onsemi:qcs-ax2-a12:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-s5:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-t12:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-t8:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-a12:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-s5:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-t12:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-t8:-:::::::* cpe:2.3:h:onsemi:qd840:-:::::::* cpe:2.3:h:onsemi:qhs710:-:::::::* cpe:2.3:h:onsemi:qsr10ga:-:::::::* cpe:2.3:h:onsemi:qsr10gu:-:::::::* cpe:2.3:h:onsemi:qv840:-:::::::* cpe:2.3:h:onsemi:qv840c:-:::::::* cpe:2.3:h:onsemi:qv860:-:::::::* cpe:2.3:h:onsemi:qv940:-:::::::* cpe:2.3:h:onsemi:qv942c:-:::::::* cpe:2.3:h:onsemi:qv952c:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-a12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-s5_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-t12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-t8_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-a12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-s5_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-t12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-t8_firmware:-:::::::* cpe:2.3:o:onsemi:qd840_firmware:-:::::::* cpe:2.3:o:onsemi:qhs710_firmware:-:::::::* cpe:2.3:o:onsemi:qsr10ga_firmware:-:::::::* cpe:2.3:o:onsemi:qsr10gu_firmware:-:::::::* cpe:2.3:o:onsemi:qv840_firmware:-:::::::* cpe:2.3:o:onsemi:qv840c_firmware:-:::::::* cpe:2.3:o:onsemi:qv860_firmware:-:::::::* cpe:2.3:o:onsemi:qv940_firmware:-:::::::* cpe:2.3:o:onsemi:qv942c_firmware:-:::::::* cpe:2.3:o:onsemi:qv952c_firmware:-:::::::*
Vendors & Products		Onsemi Onsemi qcs-ax2-a12 Onsemi qcs-ax2-a12 Firmware Onsemi qcs-ax2-s5 Onsemi qcs-ax2-s5 Firmware Onsemi qcs-ax2-t12 Onsemi qcs-ax2-t12 Firmware Onsemi qcs-ax2-t8 Onsemi qcs-ax2-t8 Firmware Onsemi qcs-ax3-a12 Onsemi qcs-ax3-a12 Firmware Onsemi qcs-ax3-s5 Onsemi qcs-ax3-s5 Firmware Onsemi qcs-ax3-t12 Onsemi qcs-ax3-t12 Firmware Onsemi qcs-ax3-t8 Onsemi qcs-ax3-t8 Firmware Onsemi qd840 Onsemi qd840 Firmware Onsemi qhs710 Onsemi qhs710 Firmware Onsemi qsr10ga Onsemi qsr10ga Firmware Onsemi qsr10gu Onsemi qsr10gu Firmware Onsemi qv840 Onsemi qv840 Firmware Onsemi qv840c Onsemi qv840c Firmware Onsemi qv860 Onsemi qv860 Firmware Onsemi qv940 Onsemi qv940 Firmware Onsemi qv942c Onsemi qv942c Firmware Onsemi qv952c Onsemi qv952c Firmware

Mon, 09 Jun 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description	The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.	The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Mon, 09 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 08 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the run_cmd argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.
Title		ON Semiconductor Quantenna router_command.sh (in the run_cmd argument) Argument Injection
Weaknesses		CWE-88
References		https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices https://takeonme.org/cves/cve-2025-3460
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: AHA

Published: 2025-06-08T21:02:58.816Z

Updated: 2025-06-09T18:38:09.297Z

Reserved: 2025-04-08T23:41:04.752Z

Link: CVE-2025-32455

Vulnrichment

Updated: 2025-06-09T15:01:37.236Z

NVD

Status : Analyzed

Published: 2025-06-08T21:15:30.993

Modified: 2026-01-13T20:12:22.423

Link: CVE-2025-32455

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-88

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object