PT-2024-17160 · Engenius · Engenius Enh1350Ext+2
Liutong
·
Published
2024-11-24
·
Updated
2024-12-10
·
CVE-2024-11651
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EnGenius ENH1350EXT, ENS500-AC, and ENS620EXT versions up to 20241118
Description
A critical issue affects an unknown function of the file /admin/network/wifi schedule. The manipulation of the argument
wifi schedule day em 5 leads to command injection. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.Recommendations
For EnGenius ENH1350EXT, ENS500-AC, and ENS620EXT versions up to 20241118, update to the latest firmware to mitigate risks.
As a temporary workaround, consider restricting access to the /admin/network/wifi schedule file until a patch is available.
Avoid using the argument
wifi schedule day em 5 in the affected API endpoint until the issue is resolved.Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Engenius Enh1350Ext
Engenius Ens500-Ac
Engenius Ens620Ext