CVE-2023-38902

Name of the Vulnerable Software and Affected Versions RG-EW series home routers and repeaters versions EW 3.0(1)B11P204 through EW 3.0(1)B11P219 RG-NBS and RG-S1930 series switches versions SWITCH 3.0(1)B11P218 through SWITCH 3.0(1)B11P219 RG-EG series business VPN routers versions EG 3.0(1)B11P216 through EG 3.0(1)B11P219 EAP and RAP series wireless access points versions AP 3.0(1)B11P218 through AP 3.0(1)B11P219 NBC series wireless controllers versions AC 3.0(1)B11P86 through AC 3.0(1)B11P219

Description A command injection issue allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to "/cgi-bin/luci/api/cmd" via the remoteIp field. The issue also allows a remote attacker to execute arbitrary code via the unifyframe-sgi.elf component in sub 40DA38.

Recommendations For RG-EW series home routers and repeaters versions EW 3.0(1)B11P204 through EW 3.0(1)B11P219, restrict access to the "/cgi-bin/luci/api/cmd" endpoint to minimize the risk of exploitation. For RG-NBS and RG-S1930 series switches versions SWITCH 3.0(1)B11P218 through SWITCH 3.0(1)B11P219, consider disabling the unifyframe-sgi.elf component until a patch is available. For RG-EG series business VPN routers versions EG 3.0(1)B11P216 through EG 3.0(1)B11P219, avoid using the remoteIp field in the affected API endpoint until the issue is resolved. For EAP and RAP series wireless access points versions AP 3.0(1)B11P218 through AP 3.0(1)B11P219, restrict access to the vulnerable module to minimize the risk of exploitation. For NBC series wireless controllers versions AC 3.0(1)B11P86 through AC 3.0(1)B11P219, consider temporarily disabling the sub 40DA38 function until a patch is available.