Remote Command Execution Vulnerability in Cisco DDR2200 and DDR2201 Residential Gateways
CVE-2017-11588

9.8CRITICAL

Key Information:

Vendor: Cisco
Status: Residential Gateway Firmware
Vendor: CVE Published:; 24 July 2017

Summary

A vulnerability exists in the Cisco DDR2200 and DDR2201 ADSL2+ Residential Gateways that allows remote attackers to execute arbitrary commands. This issue arises due to improper validation of the 'pingAddr' parameter within the 'waitPingqry.cgi' URI. When exploited, attackers are able to craft malicious input, which can lead to command execution revealed through output stored in '/PingMsg.cmd'. This vulnerability poses a serious risk, especially for devices exposed to untrusted networks.

References

http://www.securityfocus.com/bid/99963

vdb-entryx_refsource_BID

http://seclists.org/fulldisclosure/2017/Jul/26

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 24, 2017
Vulnerability Reserved
Jul 23, 2017