CVE-2021-33963

Name of the Vulnerable Software and Affected Versions China Mobile An Lianbao WF-1 version 1.0.1

Description The issue concerns a command injection vulnerability in the web interface of the affected router. Specifically, the "/api/ZRMacClone/mac addr clone" endpoint, which receives parameters via POST request, is vulnerable due to the macType parameter. This vulnerability allows an attacker to execute remote commands.

Recommendations For China Mobile An Lianbao WF-1 version 1.0.1, as a temporary workaround, consider restricting access to the /api/ZRMacClone/mac addr clone endpoint to minimize the risk of exploitation. Avoid using the macType parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.