PT-2022-10306 · China Mobile · China Mobile An Lianbao Wf-1

Published

2022-01-18

Updated

2022-01-24

CVE-2021-33965

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions China Mobile An Lianbao WF-1 version 1.0.1

Description The China Mobile An Lianbao WF-1 router provides a web interface at the "/api/ZRMesh/set ZRMesh" endpoint, which receives parameters by POST request. The mesh enable and mesh device parameters have a command injection issue. An attacker can exploit this to execute remote commands.

Recommendations For China Mobile An Lianbao WF-1 version 1.0.1, consider disabling the /api/ZRMesh/set ZRMesh endpoint until a patch is available to prevent exploitation of the command injection vulnerability in the mesh enable and mesh device parameters.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2021-33965

Affected Products

China Mobile An Lianbao Wf-1

PT-2022-10306 · China Mobile · China Mobile An Lianbao Wf-1

CVE-2021-33965

Weakness Enumeration

Related Identifiers

Affected Products

References · 8