CVE-2023-27796

Name of the Vulnerable Software and Affected Versions RG-EW1200G PRO Wireless Routers version EW 3.0(1)B11P204 RG-EW1800GX PRO Wireless Routers version EW 3.0(1)B11P204 RG-EW3200GX PRO Wireless Routers version EW 3.0(1)B11P204

Description The issue is related to the lack of input data sanitization in the embedded software of the affected routers. This can be exploited by a remote attacker to execute arbitrary code through the data.ip, data.protocal, data.iface, and data.package parameters in the runPackDiagnose function of diagnose.lua. The vulnerability allows for command injection, which can lead to unauthorized access and control.

Recommendations For RG-EW1200G PRO Wireless Routers version EW 3.0(1)B11P204, consider disabling the runPackDiagnose function in diagnose.lua until a patch is available. For RG-EW1800GX PRO Wireless Routers version EW 3.0(1)B11P204, restrict access to the data.ip, data.protocal, data.iface, and data.package parameters in the runPackDiagnose function of diagnose.lua to minimize the risk of exploitation. For RG-EW3200GX PRO Wireless Routers version EW 3.0(1)B11P204, avoid using the data.ip, data.protocal, data.iface, and data.package parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.