Loukas Alkis

**Name of the Vulnerable Software and Affected Versions** Radisys MRF Web Panel (SWMS) version 9.0.1 **Description** An issue in the Radisys MRF Web Panel allows for OS command injection attacks through the `MSM MACRO NAME` parameter in the "/swms/ms.cgi" API endpoint. By using the pipe character (`|`), attackers can inject arbitrary OS commands and receive the output in the application's responses. This could enable unauthorized command execution, potentially leading to data access, modification, or software disablement. Since the application executes these commands, malicious activities may appear to originate from the application or its owner (apache user). **Recommendations** For Radisys MRF Web Panel (SWMS) version 9.0.1, consider disabling the `MSM MACRO NAME` parameter in the "/swms/ms.cgi" API endpoint as a temporary workaround until a patch is available. Restrict access to the `/swms/ms.cgi` endpoint to minimize the risk of exploitation. Avoid using the `MSM MACRO NAME` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.