Command Injection Vulnerability in EnGenius Networking Products
CVE-2024-11658
Key Information:
- Vendor
Engenius
- Vendor
- CVE Published:
- 25 November 2024
Badges
What is CVE-2024-11658?
CVE-2024-11658 is a critical command injection vulnerability found in EnGenius networking devices, specifically the ENH1350EXT, ENS500-AC, and ENS620EXT models, impacting versions up to 20241118. This vulnerability arises from insufficient validation of the 'countryCode' parameter within the '/admin/network/ajax_getChannelList' file, allowing remote attackers to inject and execute arbitrary commands on the affected devices. The exploit has been publicly disclosed, presenting a significant risk to users who have not yet applied relevant patches. The vendor has been notified of this issue but has not responded, highlighting the urgency for users to mitigate potential attacks.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
ENH1350EXT 20241118
ENS500-AC 20241118
ENS620EXT 20241118
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published