CVE-2025-32457 - Vulnerability Details

CVE-2025-32457 - ON Semiconductor Quantenna router_command.sh (in the get_file_from_qtn argument) Argument Injection

The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_file_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00087.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Onsemi	Qcs-ax2-a12 Qcs-ax2-a12 Firmware Qcs-ax2-s5 Qcs-ax2-s5 Firmware Qcs-ax2-t12 Qcs-ax2-t12 Firmware Qcs-ax2-t8 Qcs-ax2-t8 Firmware Qcs-ax3-a12 Qcs-ax3-a12 Firmware Qcs-ax3-s5 Qcs-ax3-s5 Firmware Qcs-ax3-t12 Qcs-ax3-t12 Firmware Qcs-ax3-t8 Qcs-ax3-t8 Firmware Qd840 Qd840 Firmware Qhs710 Qhs710 Firmware Qsr10ga Qsr10ga Firmware Qsr10gu Qsr10gu Firmware Qv840 Qv840 Firmware Qv840c Qv840c Firmware Qv860 Qv860 Firmware Qv940 Qv940 Firmware Qv942c Qv942c Firmware Qv952c Qv952c Firmware

Configuration 1 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-s5_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-s5:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-a12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-a12:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-t12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-t12:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-t8:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:onsemi:qd840_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qd840:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:onsemi:qhs710_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qhs710:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:onsemi:qsr10ga_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qsr10ga:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:onsemi:qsr10gu_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qsr10gu:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:onsemi:qv840_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv840:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:onsemi:qv840c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv840c:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:onsemi:qv860_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv860:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:onsemi:qv940_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv940:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:onsemi:qv942c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv942c:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:onsemi:qv952c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qv952c:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:onsemi:qcs-ax2-s5_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax2-s5:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-a12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-a12:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-t12_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-t12:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:onsemi:qcs-ax3-t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:onsemi:qcs-ax3-t8:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices
https://takeonme.org/cves/cve-2025-3460

History

Tue, 13 Jan 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Onsemi Onsemi qcs-ax2-a12 Onsemi qcs-ax2-a12 Firmware Onsemi qcs-ax2-s5 Onsemi qcs-ax2-s5 Firmware Onsemi qcs-ax2-t12 Onsemi qcs-ax2-t12 Firmware Onsemi qcs-ax2-t8 Onsemi qcs-ax2-t8 Firmware Onsemi qcs-ax3-a12 Onsemi qcs-ax3-a12 Firmware Onsemi qcs-ax3-s5 Onsemi qcs-ax3-s5 Firmware Onsemi qcs-ax3-t12 Onsemi qcs-ax3-t12 Firmware Onsemi qcs-ax3-t8 Onsemi qcs-ax3-t8 Firmware Onsemi qd840 Onsemi qd840 Firmware Onsemi qhs710 Onsemi qhs710 Firmware Onsemi qsr10ga Onsemi qsr10ga Firmware Onsemi qsr10gu Onsemi qsr10gu Firmware Onsemi qv840 Onsemi qv840 Firmware Onsemi qv840c Onsemi qv840c Firmware Onsemi qv860 Onsemi qv860 Firmware Onsemi qv940 Onsemi qv940 Firmware Onsemi qv942c Onsemi qv942c Firmware Onsemi qv952c Onsemi qv952c Firmware
CPEs		cpe:2.3:h:onsemi:qcs-ax2-a12:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-s5:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-t12:-:::::::* cpe:2.3:h:onsemi:qcs-ax2-t8:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-a12:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-s5:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-t12:-:::::::* cpe:2.3:h:onsemi:qcs-ax3-t8:-:::::::* cpe:2.3:h:onsemi:qd840:-:::::::* cpe:2.3:h:onsemi:qhs710:-:::::::* cpe:2.3:h:onsemi:qsr10ga:-:::::::* cpe:2.3:h:onsemi:qsr10gu:-:::::::* cpe:2.3:h:onsemi:qv840:-:::::::* cpe:2.3:h:onsemi:qv840c:-:::::::* cpe:2.3:h:onsemi:qv860:-:::::::* cpe:2.3:h:onsemi:qv940:-:::::::* cpe:2.3:h:onsemi:qv942c:-:::::::* cpe:2.3:h:onsemi:qv952c:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-a12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-s5_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-t12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax2-t8_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-a12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-s5_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-t12_firmware:-:::::::* cpe:2.3:o:onsemi:qcs-ax3-t8_firmware:-:::::::* cpe:2.3:o:onsemi:qd840_firmware:-:::::::* cpe:2.3:o:onsemi:qhs710_firmware:-:::::::* cpe:2.3:o:onsemi:qsr10ga_firmware:-:::::::* cpe:2.3:o:onsemi:qsr10gu_firmware:-:::::::* cpe:2.3:o:onsemi:qv840_firmware:-:::::::* cpe:2.3:o:onsemi:qv840c_firmware:-:::::::* cpe:2.3:o:onsemi:qv860_firmware:-:::::::* cpe:2.3:o:onsemi:qv940_firmware:-:::::::* cpe:2.3:o:onsemi:qv942c_firmware:-:::::::* cpe:2.3:o:onsemi:qv952c_firmware:-:::::::*
Vendors & Products		Onsemi Onsemi qcs-ax2-a12 Onsemi qcs-ax2-a12 Firmware Onsemi qcs-ax2-s5 Onsemi qcs-ax2-s5 Firmware Onsemi qcs-ax2-t12 Onsemi qcs-ax2-t12 Firmware Onsemi qcs-ax2-t8 Onsemi qcs-ax2-t8 Firmware Onsemi qcs-ax3-a12 Onsemi qcs-ax3-a12 Firmware Onsemi qcs-ax3-s5 Onsemi qcs-ax3-s5 Firmware Onsemi qcs-ax3-t12 Onsemi qcs-ax3-t12 Firmware Onsemi qcs-ax3-t8 Onsemi qcs-ax3-t8 Firmware Onsemi qd840 Onsemi qd840 Firmware Onsemi qhs710 Onsemi qhs710 Firmware Onsemi qsr10ga Onsemi qsr10ga Firmware Onsemi qsr10gu Onsemi qsr10gu Firmware Onsemi qv840 Onsemi qv840 Firmware Onsemi qv840c Onsemi qv840c Firmware Onsemi qv860 Onsemi qv860 Firmware Onsemi qv940 Onsemi qv940 Firmware Onsemi qv942c Onsemi qv942c Firmware Onsemi qv952c Onsemi qv952c Firmware

Mon, 09 Jun 2025 19:00:00 +0000

Type	Values Removed	Values Added
Description	The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_file_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.	The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_file_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.

Mon, 09 Jun 2025 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 08 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		The Quantenna Wi-Fi chipset ships with a local control script, router_command.sh (in the get_file_from_qtn argument), that is vulnerable to command injection. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.7 ( CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) . This issue affects Quantenna Wi-Fi chipset through version 8.0.0.28 of the latest SDK, and appears to be unpatched at the time of this CVE record's first publishing, though the vendor has released a best practices guide for implementors of this chipset.
Title		ON Semiconductor Quantenna router_command.sh (in the get_file_from_qtn argument) Argument Injection
Weaknesses		CWE-88
References		https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices https://takeonme.org/cves/cve-2025-3460
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: AHA

Published: 2025-06-08T21:03:24.532Z

Updated: 2025-06-10T13:23:32.884Z

Reserved: 2025-04-08T23:41:04.752Z

Link: CVE-2025-32457

Vulnrichment

Updated: 2025-06-09T03:27:09.356Z

NVD

Status : Analyzed

Published: 2025-06-08T21:15:31.403

Modified: 2026-01-13T20:25:19.797

Link: CVE-2025-32457

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object