Wang Jincheng

**Name of the Vulnerable Software and Affected Versions** Wavlink WL-WN575A3 version RPT75A3.V4300 **Description** The issue is caused by a lack of strict length checks on user-controlled data, leading to buffer overflow vulnerabilities. Successful exploitation can result in crashing remote devices or executing arbitrary commands without authorization verification. **Recommendations** For Wavlink WL-WN575A3 version RPT75A3.V4300, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link RE365 version V1 180213 **Description** The issue is related to a buffer overflow vulnerability due to the lack of length verification for the `USER AGENT` field in `/usr/bin/httpd`. This vulnerability can be exploited by attackers to cause the remote target device to crash or execute arbitrary commands. The vulnerability is related to the `USER AGENT` field, which can be exploited by sending specially crafted network packets. **Recommendations** As a temporary workaround, consider disabling the `httpd` service or restricting access to the `/usr/bin/httpd` endpoint until a patch is available. Update the firmware to the latest version to secure the network. Restrict access to the vulnerable `USER AGENT` field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TRENDnet TEW-752DRU version 1.03B01 **Description** The issue is due to a lack of length verification for the `service` field in `gena.cgi`, leading to a buffer overflow. This can cause the remote target device to crash or allow attackers to execute arbitrary commands. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For TRENDnet TEW-752DRU version 1.03B01, as a temporary workaround, consider disabling access to the `gena.cgi` endpoint until a patch is available. Restrict the use of the `service` parameter in the `gena.cgi` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-860L version 2.03 **Description** The issue is related to a buffer overflow vulnerability in the gena.cgi file of the D-Link DIR-860L router's firmware. This vulnerability is caused by the lack of length verification for the `SID` field in gena.cgi, allowing an attacker to send a specially crafted POST request to exploit the vulnerability. Successful exploitation can cause the remote target device to crash or execute arbitrary commands. **Recommendations** For D-Link DIR-860L version 2.03, consider disabling the gena.cgi file or restricting access to it until a patch is available. As a temporary workaround, avoid using the `SID` field in the gena.cgi file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RG-EW series home routers and repeaters versions EW 3.0(1)B11P204 through EW 3.0(1)B11P219 RG-NBS and RG-S1930 series switches versions SWITCH 3.0(1)B11P218 through SWITCH 3.0(1)B11P219 RG-EG series business VPN routers versions EG 3.0(1)B11P216 through EG 3.0(1)B11P219 EAP and RAP series wireless access points versions AP 3.0(1)B11P218 through AP 3.0(1)B11P219 NBC series wireless controllers versions AC 3.0(1)B11P86 through AC 3.0(1)B11P219 **Description** A command injection issue allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to "/cgi-bin/luci/api/cmd" via the `remoteIp` field. The issue also allows a remote attacker to execute arbitrary code via the unifyframe-sgi.elf component in sub 40DA38. **Recommendations** For RG-EW series home routers and repeaters versions EW 3.0(1)B11P204 through EW 3.0(1)B11P219, restrict access to the "/cgi-bin/luci/api/cmd" endpoint to minimize the risk of exploitation. For RG-NBS and RG-S1930 series switches versions SWITCH 3.0(1)B11P218 through SWITCH 3.0(1)B11P219, consider disabling the unifyframe-sgi.elf component until a patch is available. For RG-EG series business VPN routers versions EG 3.0(1)B11P216 through EG 3.0(1)B11P219, avoid using the `remoteIp` field in the affected API endpoint until the issue is resolved. For EAP and RAP series wireless access points versions AP 3.0(1)B11P218 through AP 3.0(1)B11P219, restrict access to the vulnerable module to minimize the risk of exploitation. For NBC series wireless controllers versions AC 3.0(1)B11P86 through AC 3.0(1)B11P219, consider temporarily disabling the sub 40DA38 function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruijie Networks RG-EW series home routers and repeaters version EW 3.0(1)B11P204 Ruijie Networks RG-NBS and RG-S1930 series switches version SWITCH 3.0(1)B11P218 Ruijie Networks RG-EG series business VPN routers version EG 3.0(1)B11P216 Ruijie Networks EAP and RAP series wireless access points version AP 3.0(1)B11P218 Ruijie Networks NBC series wireless controllers version AC 3.0(1)B11P86 **Description** The issue allows unauthorized remote attackers to gain the highest privileges via a crafted POST request to "/cgi-bin/luci/api/auth". This enables remote attackers to gain escalated privileges. **Recommendations** For Ruijie Networks RG-EW series home routers and repeaters version EW 3.0(1)B11P204, consider disabling access to the "/cgi-bin/luci/api/auth" endpoint until a patch is available. For Ruijie Networks RG-NBS and RG-S1930 series switches version SWITCH 3.0(1)B11P218, restrict access to the "/cgi-bin/luci/api/auth" endpoint to minimize the risk of exploitation. For Ruijie Networks RG-EG series business VPN routers version EG 3.0(1)B11P216, avoid using the vulnerable API endpoint until the issue is resolved. For Ruijie Networks EAP and RAP series wireless access points version AP 3.0(1)B11P218, consider temporarily disabling the API endpoint "/cgi-bin/luci/api/auth" to prevent exploitation. For Ruijie Networks NBC series wireless controllers version AC 3.0(1)B11P86, limit access to the vulnerable endpoint to reduce the risk of attack. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers (affected versions not specified) **Description** The web-based management interface of the affected devices has insufficient validation of user-supplied input, which could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system. A successful exploit could allow the attacker to execute arbitrary commands as the root user on the underlying Linux operating system. The attacker would need to have valid Administrator credentials on the affected device to exploit these vulnerabilities. **Recommendations** For Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the web-based management interface to minimize the risk of exploitation. Avoid using the interface with Administrator credentials until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business Routers RV042 Series (affected versions not specified) Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 (affected versions not specified) **Description** A vulnerability in the web-based management interface of Cisco Small Business Routers could allow an authenticated, remote attacker to inject arbitrary commands on an affected device. This issue is due to improper validation of user input fields within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, potentially allowing the execution of arbitrary commands on an affected device with root-level privileges. To exploit this issue, an attacker would need to have valid Administrator credentials on the affected device. **Recommendations** For Cisco Small Business Routers RV042 Series: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers versions prior to 2025-03-24 Cisco Small Business RV Series Routers versions prior to 2025-03-24 **Description** A vulnerability exists in the web-based management interface of Cisco Small Business Routers, stemming from improper validation of user input within incoming HTTP packets. This flaw allows a remote attacker with administrative credentials to execute arbitrary commands on an affected device. Successful exploitation could grant the attacker root-level privileges and unauthorized data access. The vulnerability, identified as CVE-2023-20118, is actively exploited by threat actors, including the ViciousTrap group, who are leveraging it to build a global honeypot network. Approximately 19,334 devices remain potentially vulnerable, with over 5,300 routers hijacked across 84 countries. The PolarEdge botnet also exploits this vulnerability. The NetGhost script is used to redirect traffic. The vulnerability is present in routers running end-of-life software and Cisco has not released any software updates to address this issue. **Recommendations** For Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers versions prior to 2025-03-24, disable the affected feature as described in the Workarounds section. For Cisco Small Business RV Series Routers versions prior to 2025-03-24, disable the affected feature as described in the Workarounds section. At the moment, there is no information about a newer version that contains a fix for this vulnerability.