CVE-2021-40222

Name of the Vulnerable Software and Affected Versions Rittal CMC PU III Web management versions V3.11.00 2 through V3.17.10

Description The issue is related to a remote code execution vulnerability. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. The web application fails to sanitize user input on the Network TCP/IP configuration page, allowing an attacker to inject commands as root on the device, which will be executed once the data is received.

Recommendations For versions V3.11.00 2 through V3.17.10, update to a version later than V3.17.10 to resolve the issue. As a temporary workaround, consider restricting access to the TCP/IP Configuration dialog to minimize the risk of exploitation. Avoid using the PU-Hostname field in the TCP/IP Configuration dialog until the issue is resolved.