Ricardo123

**Name of the Vulnerable Software and Affected Versions** Netcore NBR1005GPEV2 versions up to 20250508 Netcore B6V2 versions up to 20250508 Netcore COVER5 versions up to 20250508 Netcore NAP830 versions up to 20250508 Netcore NAP930 versions up to 20250508 Netcore NBR100V2 versions up to 20250508 Netcore NBR200V2 versions up to 20250508 Netcore POWER13 versions up to 20250508 **Description** A critical vulnerability was found in the Query String Handler component of the affected Netcore devices. The issue affects an unknown part of the file /www/cgi-bin/ and leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For all affected versions up to 20250508, consider disabling the Query String Handler component until a patch is available. Restrict access to the /www/cgi-bin/ file to minimize the risk of exploitation. Avoid using the affected Netcore devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netcore NBR1005GPEV2 versions up to 20250508 Netcore B6V2 versions up to 20250508 Netcore COVER5 versions up to 20250508 Netcore NAP830 versions up to 20250508 Netcore NAP930 versions up to 20250508 Netcore NBR100V2 versions up to 20250508 Netcore NBR200V2 versions up to 20250508 **Description** A critical vulnerability has been found in the HTTP Header Handler component of the affected Netcore devices. The issue affects the `passwd set` function of the `/usr/bin/routerd` file, where manipulation of the `pwd` argument leads to command injection. This can be initiated remotely. The exploit has been disclosed publicly. **Recommendations** For all affected versions up to 20250508, consider disabling the `passwd set` function of the `/usr/bin/routerd` file to prevent command injection until a patch is available. Restrict access to the HTTP Header Handler component to minimize the risk of exploitation. Avoid using the `pwd` argument in the affected HTTP Header Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netcore NBR1005GPEV2 versions up to 20250508 Netcore NBR200V2 versions up to 20250508 Netcore B6V2 versions up to 20250508 **Description** A critical issue affects the `tools ping` function of the file `/usr/bin/network tools`. The manipulation of the `url` argument leads to command injection. The attack may be initiated remotely. **Recommendations** For Netcore NBR1005GPEV2 versions up to 20250508, consider disabling the `tools ping` function until a patch is available. For Netcore NBR200V2 versions up to 20250508, consider disabling the `tools ping` function until a patch is available. For Netcore B6V2 versions up to 20250508, consider disabling the `tools ping` function until a patch is available. Avoid using the `url` argument in the affected `tools ping` function until the issue is resolved.