OS Command Injection Vulnerability in TRENDnet Router Devices
CVE-2024-57590

9.8CRITICAL

Key Information:

Vendor: TRENDnet
Status: TEW-632BRP
Vendor: CVE Published:; 27 January 2025

What is CVE-2024-57590?

TRENDnet TEW-632BRP version 1.010B31 is susceptible to an OS command injection vulnerability found in the CGl interface 'ntp_sync.cgi'. This security flaw enables remote attackers to execute arbitrary system commands by manipulating the 'ntp_server' parameter in a POST request to the 'ntp_sync.cgi' binary. Exploitation of this vulnerability poses significant risks as it can compromise the device’s integrity and potentially lead to broader network vulnerabilities.

References

https://github.com/IdaJea/IOT_vuln_1/blob/master/tew632/n...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 27, 2025
Vulnerability Reserved
Jan 9, 2025