CVE-2024-48455

Name of the Vulnerable Software and Affected Versions Netis Wifi6 Router NX10 versions 2.0.1.3643 through 2.0.1.3582 Netis Wifi 11AC Router NC65 version 3.0.0.3749 Netis Wifi 11AC Router NC63 versions 3.0.0.3327 through 3.0.0.3503 Netis Wifi 11AC Router NC21 versions 3.0.0.3800 through 3.0.0.3329 Netis Wifi Router MW5360 versions 1.0.1.3442 through 1.0.1.3031

Description The issue is related to insufficient protection of service data in the web interface of Netis Wi-Fi routers. This allows a remote attacker to obtain sensitive information via the mode name and wl link parameters of the skk get.cgi component. There is no information about the estimated number of potentially affected devices or real-world incidents where this issue was exploited.

Recommendations For Netis Wifi6 Router NX10 versions 2.0.1.3643 and 2.0.1.3582, consider disabling the skk get.cgi component until a patch is available. For Netis Wifi 11AC Router NC65 version 3.0.0.3749, restrict access to the skk get.cgi component to minimize the risk of exploitation. For Netis Wifi 11AC Router NC63 versions 3.0.0.3327 through 3.0.0.3503, avoid using the mode name and wl link parameters in the affected API endpoint until the issue is resolved. For Netis Wifi 11AC Router NC21 versions 3.0.0.3800 through 3.0.0.3329, consider temporarily disabling the skk get.cgi component until a patch is available. For Netis Wifi Router MW5360 versions 1.0.1.3442 through 1.0.1.3031, restrict access to the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.