CVE-2024-48456

Name of the Vulnerable Software and Affected Versions Netis Wifi6 Router NX10 versions 2.0.1.3582 through 2.0.1.3643 Netis Wifi 11AC Router NC65 version 3.0.0.3749 Netis Wifi 11AC Router NC63 versions 3.0.0.3327 through 3.0.0.3503 Netis Wifi 11AC Router NC21 versions 3.0.0.3329 through 3.0.0.3800 Netis Wifi Router MW5360 versions 1.0.1.3031 through 1.0.1.3442

Description The issue allows a remote attacker to obtain sensitive information via the password parameter at the change admin password page on the router's web interface. This is related to a web interface management software vulnerability in Netis Wi-Fi routers, which is associated with reading beyond the valid range in memory. Exploitation of the vulnerability may allow a remote attacker to elevate privileges by processing the password parameter.

Recommendations For Netis Wifi6 Router NX10 versions 2.0.1.3582 through 2.0.1.3643, restrict access to the change admin password page on the web interface until a fix is available. For Netis Wifi 11AC Router NC65 version 3.0.0.3749, avoid using the password parameter in the affected API endpoint until the issue is resolved. For Netis Wifi 11AC Router NC63 versions 3.0.0.3327 through 3.0.0.3503, consider disabling the change admin password functionality temporarily. For Netis Wifi 11AC Router NC21 versions 3.0.0.3329 through 3.0.0.3800, limit access to the web interface to minimize the risk of exploitation. For Netis Wifi Router MW5360 versions 1.0.1.3031 through 1.0.1.3442, apply configuration changes to restrict the use of the vulnerable component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.