Silas Cutler

**Name of the Vulnerable Software and Affected Versions** Zivif PR115-204-P-RS versions V2.3.4.2103 through V4.7.4.2121 **Description** The issue is related to unauthenticated, blind remote command injection via CGI scripts used in the web interface. This can be demonstrated by a request to `/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)`, which allows an attacker to execute arbitrary commands remotely. The vulnerability is associated with the failure to neutralize special elements used in commands. **Recommendations** For versions V2.3.4.2103 through V4.7.4.2121, consider disabling the CGI scripts used in the web interface as a temporary workaround until a patch is available. Restrict access to the `/cgi-bin/iptest.cgi` endpoint to minimize the risk of exploitation. Avoid using the `cmd` and `url` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.