Command Injection Vulnerability in EnGenius Network Products
CVE-2024-11654
Key Information:
- Vendor
Engenius
- Vendor
- CVE Published:
- 25 November 2024
Badges
What is CVE-2024-11654?
A critical command injection vulnerability has been identified in several EnGenius networking products, specifically the ENH1350EXT, ENS500-AC, and ENS620EXT versions released before November 18, 2024. The vulnerability resides in the /admin/network/diag_traceroute6 file, where improper handling of user-supplied arguments allows remote attackers to execute arbitrary commands on the device. This issue poses a severe risk to network integrity as it can be exploited without authentication, leading to unauthorized access and control over the affected devices. Despite early communication with EnGenius regarding this critical security flaw, there was no response from the vendor, leaving users vulnerable to potential exploits. Immediate action is recommended to mitigate risks and secure network infrastructure.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
ENH1350EXT 20241118
ENS500-AC 20241118
ENS620EXT 20241118
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published