CVE-2024-11655

Name of the Vulnerable Software and Affected Versions EnGenius ENH1350EXT versions up to 20241118 EnGenius ENS500-AC versions up to 20241118 EnGenius ENS620EXT versions up to 20241118

Description A critical vulnerability was found in the specified EnGenius devices, affecting the file /admin/network/diag pinginterface. The manipulation of the diag ping argument leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations For EnGenius ENH1350EXT versions up to 20241118, consider disabling access to the /admin/network/diag pinginterface file until a patch is available. For EnGenius ENS500-AC versions up to 20241118, restrict the use of the diag ping argument in the affected file to minimize the risk of exploitation. For EnGenius ENS620EXT versions up to 20241118, avoid using the diag ping argument in the /admin/network/diag pinginterface file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.