James Pavur

**Name of the Vulnerable Software and Affected Versions** Newtec/iDirect NTC2218, NTC2250, NTC2299 versions 1.0.1.1 through 2.2.6.19 **Description** The issue affects the `commit multicast` page in the modem's web administration interface, which improperly parses incoming data from the request before passing it to an `eval` statement in a bash script. This allows attackers to inject arbitrary shell commands, enabling Local Code Inclusion. **Recommendations** For versions 1.0.1.1 through 2.2.6.19, consider disabling the `commit multicast` page in the web administration interface as a temporary workaround until a patch is available. Restrict access to the bash script that uses the `eval` statement to minimize the risk of exploitation. Avoid using the `eval` statement in the bash script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.