OS Command Injection Vulnerability Affects Advantech Devices
CVE-2024-50366

7.2HIGH

Key Information:

Vendor: Advantech
Status: Eki-6333ac-2g; Eki-6333ac-2gd; Eki-6333ac-1gpo
Vendor: CVE Published:; 26 November 2024

Summary

An OS command injection vulnerability exists in specific Advantech networking devices due to inadequate sanitization of input parameters within the applications_apply API. This oversight allows attackers to exploit unsanitized data and potentially execute arbitrary OS commands, compromising the security and functionality of the affected devices. The risk is present across multiple Advantech models, making it crucial for users to apply recommended security updates and patches to mitigate exposure.

Affected Version(s)

EKI-6333AC-1GPO 0

EKI-6333AC-2G 0

EKI-6333AC-2GD 0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Oct 23, 2024

Credit

Diego Zaffaroni of Nozomi Networks found this bug during a security research activity.