OS Command Injection Vulnerability in Ruijie RG-UAC Products
CVE-2024-5340

4.7MEDIUM

Key Information:

Vendor

Ruijie

Status
Rg-uac
Vendor
CVE Published:
25 May 2024

Badges

👾 Exploit Exists

What is CVE-2024-5340?

A serious OS command injection vulnerability has been identified in Ruijie RG-UAC products, specifically affecting versions up to 20240516. This vulnerability arises from insufficient validation within the '/view/vpn/autovpn/sub_commit.php' file, allowing remote attackers to manipulate the 'key' argument and execute arbitrary commands on the host operating system. The exploitation of this vulnerability could lead to severe impacts on network security. Despite an early disclosure attempt to the vendor, there has been no response regarding necessary remediation measures. Organizations using affected versions are strongly advised to assess their exposure and implement appropriate security controls immediately.

Affected Version(s)

RG-UAC 20240516

References

https://vuldb.com/?id.266246
vdb-entrytechnical-description
https://vuldb.com/?ctiid.266246
signaturepermissions-required
https://vuldb.com/?submit.336038
third-party-advisory

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

H0e4a0r1t (VulDB User)
.
CVE-2024-5340 : OS Command Injection Vulnerability in Ruijie RG-UAC Products