PT-2021-23803 · Victure · Victure Wr1200
Published
2021-11-30
·
Updated
2021-12-03
·
CVE-2021-43283
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Victure WR1200 versions 1.0.0 through 1.0.3
Description
A command injection issue was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the
ping and traceroute features, enabling an attacker to open a reverse shell on the device with root privileges.Recommendations
For versions 1.0.0 through 1.0.3, as a temporary workaround, consider disabling the
ping and traceroute features until a patch is available. Restrict access to the web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Victure Wr1200