CVE-2024-11658

Name of the Vulnerable Software and Affected Versions EnGenius ENH1350EXT versions up to 20241118 EnGenius ENS500-AC versions up to 20241118 EnGenius ENS620EXT versions up to 20241118

Description A critical issue has been found in the affected devices, related to an unknown functionality of the file /admin/network/ajax getChannelList. The manipulation of the countryCode argument leads to command injection. This issue can be exploited remotely. The exploit has been disclosed publicly, and the vendor was contacted about this issue but did not respond.

Recommendations For EnGenius ENH1350EXT versions up to 20241118, consider disabling access to the /admin/network/ajax getChannelList file until a patch is available. For EnGenius ENS500-AC versions up to 20241118, restrict the use of the countryCode argument in the affected file to minimize the risk of exploitation. For EnGenius ENS620EXT versions up to 20241118, avoid using the /admin/network/ajax getChannelList file remotely until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.