ON Semiconductor Quantenna Wi-Fi Chipset Command Injection Vulnerability in Local Control Script

A command injection vulnerability has been identified in a local control script called 'transmit_file', which is included with certain Quantenna Wi-Fi chipsets from ON Semiconductor. This vulnerability allows for arbitrary command execution by injecting commands into the script's arguments. The issue arises from improper sanitization of the input parameters, enabling an attacker to execute commands with root privileges. The vulnerability affects Quantenna Wi-Fi chipsets through version 8.0.0.28 of the latest SDK.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root on the affected device. This could lead to complete control over the Quantenna Wi-Fi chip, including the ability to remotely enable the telnet service, as described in CVE-2025-3461.

Reproduction

The vulnerability can be reproduced by using the 'qcsapi' RPC service to execute the 'run_script' command with the 'transmit_file' script as the target. The first argument can be replaced with any command, which will be executed with root privileges. For example, injecting a command to spawn a telnet service would demonstrate the exploitation of this vulnerability.

Remediation

ON Semiconductor has published a best practices guide for Quantenna Wi-Fi chipsets, recommending the configuration of security options that are disabled by default. This guide includes instructions for changing default passwords, disabling the telnet service for production releases, and applying additional security measures such as VLAN support and secure boot options. For more information, refer to the Quantenna Wi-Fi chipset support and security best practices article on the ON Semiconductor community website.