CVE-2025-66848
Summary
| CVE | CVE-2025-66848 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-12-30 17:15:43 UTC |
| Updated | 2026-07-05 02:17:31 UTC |
| Description | JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.009140000 probability, percentile 0.557970000 (date 2026-07-08)
Problem Types: CWE-94 | n/a | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Jdcloud | Ax1800 | - | All | All | All |
| Operating System | Jdcloud | Ax1800 Firmware | All | All | All | All |
| Hardware | Jdcloud | Ax3000 | - | All | All | All |
| Operating System | Jdcloud | Ax3000 Firmware | All | All | All | All |
| Hardware | Jdcloud | Ax6600 | - | All | All | All |
| Operating System | Jdcloud | Ax6600 Firmware | All | All | All | All |
| Hardware | Jdcloud | Be6500 | - | All | All | All |
| Operating System | Jdcloud | Be6500 Firmware | All | All | All | All |
| Hardware | Jdcloud | Er1 | - | All | All | All |
| Operating System | Jdcloud | Er1 Firmware | All | All | All | All |
| Hardware | Jdcloud | Er2 | - | All | All | All |
| Operating System | Jdcloud | Er2 Firmware | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2 | [email protected] | www.notion.so | Permissions Required |
| www.jdcloud.com/cn | [email protected] | www.jdcloud.com | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.