An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint tls_iotgen_setting).CreditsONEKEY Research LabsReferenceshttps://certvde.com/en/advisories/VDE-2025-052
