CVE-2019-9120

Name of the Vulnerable Software and Affected Versions Motorola C1 version 1.01 Motorola M2 version 1.07

Description A Command Injection issue allows a remote attacker to execute arbitrary code and gain a root shell. This occurs when the HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWLanACLSettings API function, as demonstrated by shell metacharacters in the wl(0).(0) maclist field, via a crafted "/HNAP1" POST request.

Recommendations For Motorola C1 version 1.01, consider disabling the SetWLanACLSettings API function until a patch is available. For Motorola M2 version 1.07, restrict access to the HNAP API to minimize the risk of exploitation.