Summary:
Ericsson has released the Indoor Connect 2025.Q2 update which addresses five security vulnerabilities found in Ericsson Indoor Connect 8855.
Vulnerability description:
This section summarizes the vulnerability issue and potential impact that this security update addresses.
CVE-2025-27261 - Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data.
CVSS 4.0
CVSS Base Score: 8.7
Severity: High
CVSS Vector: 4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Weakness Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-27262 - Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges.
CVSS 4.0
Base Score: 8.5
Severity: High
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Weakness Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-40836 - Ericsson Indoor Connect 8855 contains an improper input validation vulnerability which if exploited can allow an attacker to execute commands with escalated privileges.
CVSS 4.0
CVSS Base Score: 8.7
Severity: High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Weakness Type: CWE-20: Improper Input Validation
CVE-2025-40837 - Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended.
CVSS 4.0
CVSS Base Score: 8.7
Severity: High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Weakness Type: CWE-862: Missing Authorization
CVE-2025-40838 - Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information.
CVSS 4.0
CVSS Base Score: 5.1
Severity: Medium
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Weakness Type: CWE-522: Insufficiently Protected Credentials
Security update:
The following table lists the Ericsson products affected, versions affected, and the updated version that includes this security update.
To protect your system, download and install the updated version.
| CVE Addressed | Product Name | Affected Versions | Updated Versions |
|---|---|---|---|
|
CVE-2025-27261 |
Indoor Connect 8855 |
All versions prior to 2025.Q2 |
2025.Q2 |
Mitigations:
See the solution above for the version to install.
Acknowledgement:
Ericsson thanks following people for reporting these issues to us:
Telstra
Additional information:
- Ericsson severity assessment of a vulnerability is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your organization. We recommend evaluating the risk to your specific configuration.
- If you have any questions regarding this bulletin, please reach out to your local Ericsson support representative, for more information see our Customer Support page.
- Learn more about the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), see Ericsson PSIRT page.
Revision history:
| Revision | Date | Description |
|---|---|---|
| 2.0 | September 30, 2025 | updated vulnerability details |
| 1.0 | September 25, 2025 | Initial Release |
© Ericsson AB 2024. All rights reserved. No part of this message may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this message. For questions, please contact Ericsson Local Support or connect with us on the Omni Network Channel section of My Ericsson. Visit us at Support User Preferences to unsubscribe.