DCEID-2025-001: Command Injection and Info Disclosure in Mobile Routers (CVE-2025-5357/5358)

Critical Vulnerability Information Vulnerability ID DCEID-2025-001 Vulnerability Description Multiple mobile routers are vulnerable to information disclosure and command injection. Affected Products and Versions HL330-DLS (Communication Module MC7700M): Firmware versions 1.03 and earlier HL320-DLS (Communication Module MC7730M): Firmware versions 2.02 and earlier HL320-DLS (Communication Module MC7700M): Firmware versions 1.06e and earlier HL120-DLS (Communication Module MC7730M): Firmware versions 2.03 and earlier LM-100 (Communication Module AMP570M): Firmware versions 1.02 and earlier LM-200 (Communication Module C25): Firmware versions 1.05e and earlier LX Assist RS-A: Firmware versions 1.11 and earlier LX Assist RS-E: Firmware versions 1.13 and earlier F21 Assist SS-A: Firmware versions 1.03 and earlier F2L Assist SS-E: Firmware versions 1.01 and earlier Vulnerability Details Attackers may gain management access to the device over the internet, allowing them to execute arbitrary commands, resulting in full control over the device’s internal computer. This could lead to malicious software installation, data tampering, or deletion. Mitigation Measures Upgrade to the following firmware versions: HL330-DLS: Firmware version 1.04 and later HL320-DLS (MC7700M): Firmware version 1.06e and later HL320-DLS (MC7730M): Firmware version 2.03 and later HL120-DLS: Firmware version 2.03 and later LM-100: Firmware version 1.03 and later LM-200: Firmware version 1.05e and later LX Assist RS-A: Firmware version 1.12 and later LX Assist RS-E: Firmware version 1.13 and later F21 Assist SS-A: Firmware version 1.04 and later F2L Assist SS-E: Firmware version 1.02 and later Workarounds 1. Change default passwords. 2. Restrict internet access to the WAN port. Related Information JVN#98589923 CVE-2025-5357, CVE-2025-5358 Update History August 28, 2025: Public disclosure August 29, 2025: JVN link added

Goal Reached Thanks to every supporter — we hit 100%!

DCEID-2025-001: Command Injection and Info Disclosure in Mobile Routers (CVE-2025-5357/5358)