PT-2023-1075 · Inhand Networks · Inrouter 615+1
Otorio
+1
·
Published
2023-01-12
·
Updated
2023-05-16
·
CVE-2023-22598
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
InHand Networks InRouter 302 versions prior to IR302 V3.5.56
InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542
Description
The issue is related to improper neutralization of special elements used in an OS command, which could allow an unauthorized user with privileged access to the local web interface or the cloud account managing the affected devices to push a specially crafted configuration update file. This could lead to remote code execution with root privileges.
Recommendations
For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later.
For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later.
As a temporary workaround, consider restricting access to the local web interface and cloud account managing the affected devices to minimize the risk of exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Inrouter302
Inrouter 615