PT-2021-17115 · Nozomi Networks · Nozomi Networks Cmc+1
Erik De Jong
·
Published
2021-02-22
·
Updated
2024-05-28
·
CVE-2021-26724
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Nozomi Networks Guardian versions 20.0.7.3 and prior versions
Nozomi Networks CMC versions 20.0.7.3 and prior versions
Description
The issue is an OS Command Injection vulnerability that occurs when changing date settings or hostname using the web GUI of Nozomi Networks Guardian and CMC. This allows authenticated administrators to perform remote code execution.
Recommendations
For Nozomi Networks Guardian versions 20.0.7.3 and prior versions, update to a version that fixes this issue.
For Nozomi Networks CMC versions 20.0.7.3 and prior versions, update to a version that fixes this issue.
As a temporary workaround, consider restricting access to the web GUI for changing date settings or hostname until a patch is available.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nozomi Networks Cmc
Nozomi Networks Guardian