PT-2020-20384 · Netis · Netis Wf2471

Published

2020-02-12

Updated

2020-02-21

CVE-2020-8946

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Netis WF2471 version 1.2.30142

Description The issue allows an authenticated attacker to execute arbitrary OS commands. This is achieved by using shell metacharacters in the log 3g type parameter of the "/cgi-bin-igd/sys log clean.cgi" API endpoint.

Recommendations For Netis WF2471 version 1.2.30142, avoid using the log 3g type parameter in the "/cgi-bin-igd/sys log clean.cgi" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-8946

Affected Products

Netis Wf2471

PT-2020-20384 · Netis · Netis Wf2471

CVE-2020-8946

Weakness Enumeration

Related Identifiers

Affected Products

References · 3