CVE-2024-2910

Name of the Vulnerable Software and Affected Versions Ruijie RG-EG350 versions prior to 20240319

Description A critical issue exists in the vpnAction function of the /itbox pi/vpn quickset service.php?a=set vpn file within the HTTP POST Request Handler component. The issue stems from a failure to neutralize special elements used in operating system commands. Exploitation allows a remote attacker to execute arbitrary commands through manipulation of the ip/port/user/pass/dns/startIp argument. The exploit has been publicly disclosed.

Recommendations Ruijie RG-EG350 versions prior to 20240319: Update to version 20240319 or later. As a temporary workaround, restrict access to the /itbox pi/vpn quickset service.php?a=set vpn endpoint.