CVE-2025-8646: Kenwood DMX958XR Firmware Update Command Injection

Critical Vulnerability Information Title: (0Day) Kenwood DMX958XR Firmware Update Command Injection Vulnerability ID: - ZDI-25-794 - ZDI-CAN-26269 CVE ID: CVE-2025-8646 CVSS Score: 6.8, AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Vendor: Kenwood Affected Product: DMX958XR Vulnerability Details: - This vulnerability allows a physically present attacker to execute arbitrary code on affected Kenwood DMX958XR devices. Exploitation does not require authentication. - The issue arises during the firmware update process, where insufficient validation of user-supplied strings leads to command injection before system calls are executed. Attackers can leverage this vulnerability to execute code with root privileges. Additional Details: - 2025-03-04: ZDI reported the vulnerability to the vendor. - 2025-03-18: Vendor acknowledged the report. - 2025-05-15: Vendor requested additional time to decide whether to release a fix. - 2025-06-25: Vendor indicated they were addressing the reported vulnerability. - 2025-07-29: ZDI requested an update and informed the vendor that, if no patch was available, a 0-day advisory would be published on August 1, 2025. - 2025-07-31: Vendor requested an extension until late September; ZDI declined. - Mitigation: Due to the nature of the vulnerability, the only effective mitigation is to restrict interaction with the product. Disclosure Timeline: - 2025-03-04: Vulnerability reported to vendor - 2025-08-05: Coordinated public advisory release - 2025-08-05: Advisory updated Acknowledgments: @ByteInsight

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-8646: Kenwood DMX958XR Firmware Update Command Injection