CVE-2019-3495

Name of the Vulnerable Software and Affected Versions Wifi-soft UniBox controller versions 0.x through 2.x

Description An issue was discovered that allows for arbitrary file upload through the network/mesh/edit-nds.php endpoint, enabling an attacker to upload .php files and execute code on the server with root user privileges. The authentication for accessing this component can be bypassed by using hard-coded credentials.

Recommendations For Wifi-soft UniBox controller versions 0.x through 2.x, as a temporary workaround, consider disabling access to the network/mesh/edit-nds.php endpoint until a patch is available. Restrict the use of hard-coded credentials to minimize the risk of exploitation.