CVE-2022-43971

Name of the Vulnerable Software and Affected Versions Linksys WUMC710 Wireless-AC Universal Media Connector version 1.0.02 (build3) and earlier

Description An arbitrary code execution issue exists due to the do setNTP function within the httpd binary using unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can exploit this over the network via a malicious GET or POST request to "/setNTP.cgi" to execute arbitrary commands on the underlying Linux operating system as root.

Recommendations For Linksys WUMC710 Wireless-AC Universal Media Connector version 1.0.02 (build3) and earlier, as a temporary workaround, consider disabling the do setNTP function until a patch is available. Restrict access to the "/setNTP.cgi" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.