CVE-2025-41688
CriticalProof-of-ConceptMB Connect Line mbNET Lua Sandbox Escape — Arbitrary Command Execution as Root
PERIMETER DEVICE RISK
APT-RELATED
9.1
CVSS v3.1 Base Score
Critical severity — Immediate action required
AV: Network AC: LowAuth: Required
mbNET industrial VPN routers allow Lua sandbox escape leading to root command execution. These devices are frequently deployed as remote access gateways for OT networks, making them high-value targets. An attacker who compromises mbNET has direct access to the OT network behind it. Estimated CVSS 9.1 based on impact analysis — authenticated but trivially exploitable once scripting access is obtained.
Status
Proof-of-Concept
Complexity
Low
Auth Required
Yes
Initial Access
Authenticated access to Lua scripting interface, then sandbox escape
Threat Actors / APT Groups
Sandworm
Known Techniques
- Lua os.execute() bypass via loadstring and debug library
- Sandbox escape through Lua C function ffi interface
- Root shell via crafted Lua script leveraging unrestricted io library
Published:2025-03-12
Modified:2025-03-28
Vendor:MB Connect Line
CWE:CWE-78
Improper Neutralization of Special Elements used in an OS Command
Risk Summary
Overall RiskCritical
ExploitationProof-of-Concept
DetectionHigh coverage
Detection Rate93%
Rules Available3
Industry Sectors
Threat Actors
Sandworm