CVE-2019-19356

Name of the Vulnerable Software and Affected Versions Netis WF2419 versions V1.2.31805 through V2.2.36123

Description The vulnerability is related to the implementation of the ping and tracert commands in the web interface of the Netis WF2419 router's firmware, which fails to neutralize special elements. This allows a remote attacker to execute arbitrary commands and gain unauthorized access to protected information by sending specially crafted HTTP requests. The issue is due to a lack of user input sanitizing, enabling the execution of system commands as root through the tracert diagnostic tool.

Recommendations For versions V1.2.31805 and V2.2.36123, consider disabling the tracert diagnostic tool in the web management page as a temporary workaround to minimize the risk of exploitation. Restrict access to the router's web management page to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.