CVE-2017-14433

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Moxa EDR-810 version 4.1 build 17030317

Description: A command injection issue exists in the web server functionality, allowing a specially crafted HTTP POST to cause a privilege escalation resulting in a root shell. An attacker can inject OS commands into the remoteNetwork0= parameter in the "/goform/net Web get value" endpoint to trigger this issue.

Recommendations: For Moxa EDR-810 version 4.1 build 17030317, consider restricting access to the "/goform/net Web get value" endpoint until a patch is available, and avoid using the remoteNetwork0= parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2017-14433

Affected Products

Edr-810

CVE-2017-14433

Weakness Enumeration

Related Identifiers

Affected Products

References · 3