CVE-2024-11654

Name of the Vulnerable Software and Affected Versions EnGenius ENH1350EXT versions up to 20241118 EnGenius ENS500-AC versions up to 20241118 EnGenius ENS620EXT versions up to 20241118

Description A critical vulnerability has been found in EnGenius devices, affecting an unknown part of the file /admin/network/diag traceroute6. The manipulation of the diag traceroute6 argument leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations For EnGenius ENH1350EXT versions up to 20241118, consider disabling access to the /admin/network/diag traceroute6 endpoint until a patch is available. For EnGenius ENS500-AC versions up to 20241118, consider disabling access to the /admin/network/diag traceroute6 endpoint until a patch is available. For EnGenius ENS620EXT versions up to 20241118, consider disabling access to the /admin/network/diag traceroute6 endpoint until a patch is available. As a temporary workaround, consider restricting the use of the diag traceroute6 argument in the affected endpoint to minimize the risk of exploitation.