CVE-2025-66848NVD

Vulnerability Summary

JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.

Severity Level

CRITICAL(9.8)

Published Date

Dec 30, 2025

Last Modified

Jan 9, 2026

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-94: Code Injection ↗

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended syntax or behavior.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

http://jd.com
https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2
https://www.jdcloud.com/cn/

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-66848NVD

Vulnerability Summary

External References