CVE-2021-44080

Name of the Vulnerable Software and Affected Versions SerComm h500s versions prior to the fixed version

Description The issue exists due to the lack of neutralization of special elements used in the operating system command. This allows a remote attacker to execute arbitrary commands via the connection type parameter. The vulnerability can be exploited through the "statussupport diagnostic tracing.json" endpoint, allowing logged-in administrators to execute arbitrary OS commands as root on the device.

Recommendations For SerComm h500s versions prior to the fixed version, consider disabling the statussupport diagnostic tracing.json endpoint until a patch is available. Restrict access to the connection type parameter to minimize the risk of exploitation. Avoid using the connection type parameter in the affected endpoint until the issue is resolved.