CVE-2020-8087

Name of the Vulnerable Software and Affected Versions SMC Networks D3G0804W D3GNV5M version 3.5.1.6.10 GA

Description The issue allows remote command execution by leveraging access to the Network Diagnostic Tools screen, as demonstrated by an admin login. The attacker must use a Parameter Pollution approach against "goform/formSetDiagnosticToolsFmPing" by providing the vlu diagnostic tools ping address parameter twice: once with a shell metacharacter and a command name, and once with a command argument.

Recommendations For SMC Networks D3G0804W D3GNV5M version 3.5.1.6.10 GA, as a temporary workaround, consider restricting access to the "goform/formSetDiagnosticToolsFmPing" endpoint to minimize the risk of exploitation. Avoid using the vlu diagnostic tools ping address parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.