{"Remotely Exploitable OS Command Injection Vulnerability Affects Advantech Devices"}
CVE-2024-50372
9.8CRITICAL
Key Information
- Vendor
- Advantech
- Status
- Eki-6333ac-2g
- Eki-6333ac-2gd
- Eki-6333ac-1gpo
- Vendor
- CVE Published:
- 26 November 2024
Summary
A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "backup_config_to_utility" operation.
Affected Version(s)
EKI-6333AC-2G <= 0
EKI-6333AC-2GD <= 0
EKI-6333AC-1GPO <= 0
Refferences
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Diego Zaffaroni of Nozomi Networks found this bug during a security research activity.