OS Command Injection Vulnerability Affects Advantech Devices

CVE-2024-50362

7.2HIGH

Key Information

Vendor
Advantech
Status
Eki-6333ac-2g
Eki-6333ac-2gd
Eki-6333ac-1gpo
Vendor
CVE Published:
26 November 2024

Summary

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "connection_profile_apply" API which are not properly sanitized before being concatenated to OS level commands.

Affected Version(s)

EKI-6333AC-2G <= 0

EKI-6333AC-2GD <= 0

EKI-6333AC-1GPO <= 0

Refferences

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Diego Zaffaroni of Nozomi Networks found this bug during a security research activity.
.