OS Command Injection Vulnerability in Newtec/iDirect Modems
CVE-2024-13502

9.3CRITICAL

Key Information:

Vendor: Newtec/idirect
Status: Ntc2218, Ntc2250, Ntc2299
Vendor: CVE Published:; 17 January 2025

Badges

👾 Exploit Exists

Summary

The vulnerability arises from improper parsing of incoming data on the commit_multicast page within the modem's web administration interface. This flaw allows attackers to exploit the system by injecting arbitrary shell commands, potentially leading to unauthorized code execution. Specifically, the vulnerable script uses an eval statement in a bash environment, posing significant security risks to the affected Newtec/iDirect modem models.

Affected Version(s)

NTC2218, NTC2250, NTC2299 Linux 1.0.1.1 <= 2.2.6.19

References

https://doi.org/10.1145/3643833.3656139

https://www.youtube.com/watch?v=-pxmly8xeas

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

👾
Exploit known to exist
Jan 17, 2025
Vulnerability published
Jan 17, 2025
Vulnerability Reserved
Jan 17, 2025

Credit

James Pavur

Johannes Willbold, [email protected]

Martin Strohmeier, [email protected]