Command Injection Vulnerability in Moxa AWK-3121 Wireless Devices
CVE-2018-10699

8.8HIGH

Key Information:

Vendor
Moxa
Status
Awk-3121 Firmware
Vendor
CVE Published:
7 June 2019

Summary

The Moxa AWK-3121 devices running version 1.14 are susceptible to a command injection vulnerability due to improper handling of the 'iw_privatePass' POST parameter. This flaw allows attackers to craft specific packets containing shell metacharacters, thus executing arbitrary commands on the device. The vulnerability arises from the certfile upload functionality intended for legitimate certificate uploads, which can be exploited if not properly secured.

References

https://github.com/samuelhuntley/Moxa_AWK_1121/blob/maste...
x_refsource_MISC
https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153223/Moxa-AWK-3121...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.