Command Injection Vulnerability in Motorola Network Devices
CVE-2019-9121

9.8CRITICAL

Key Information:

Vendor: Motorola
Status: M2 Firmware
Vendor: CVE Published:; 7 March 2019

Summary

A vulnerability has been identified in Motorola C1 and M2 devices, where untrusted input can be exploited due to improper handling of data sent via the HNAP API. Specifically, an attacker may craft a malicious POST request targeting the SetSmartQoSSettings function, allowing them to execute arbitrary operating system commands. This occurs because user-controlled input is directly passed to the system function without rigorous validation, enabling remote code execution and potentially leading to a complete compromise of the device's control.

References

https://github.com/lieanu/vuls/blob/master/motorola/M2_C1...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2019
Vulnerability Reserved
Feb 24, 2019