PT-2024-26873 · Engenius · Engenius Ews356-Fit

Edward Warren

Published

2024-11-11

Updated

2024-11-12

CVE-2024-36061

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions EnGenius EWS356-FIT devices through 1.1.30

Description The issue allows an attacker to execute arbitrary OS commands via shell metacharacters to the Ping and Speed Test utilities, enabling blind OS command injection.

Recommendations For EnGenius EWS356-FIT devices through 1.1.30, consider disabling the Ping and Speed Test utilities until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2024-36061

Affected Products

Engenius Ews356-Fit

PT-2024-26873 · Engenius · Engenius Ews356-Fit

CVE-2024-36061

Weakness Enumeration

Related Identifiers

Affected Products

References · 5