Command Injection Vulnerability in Motorola CX2 and M2 Products
CVE-2019-11319

9.8CRITICAL

Key Information:

Vendor: Motorola
Status: Cx2 Firmware
Vendor: CVE Published:; 18 April 2019

Summary

A critical command injection vulnerability exists in the downloadFirmware function of the hnap service in Motorola CX2 and M2 products. Exploitation of this flaw allows an attacker to execute arbitrary commands on the device by injecting shell metacharacters within a JSON value. This could lead to unauthorized access and potential compromise of the system’s integrity, emphasizing the need for immediate remediation.

References

https://github.com/TeamSeri0us/pocs/blob/master/iot/motor...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 18, 2019
Vulnerability Reserved
Apr 18, 2019