CVE-2024-48073

Name of the Vulnerable Software and Affected Versions sunniwell HT3300 versions before 1.0.0.B022.2

Description The issue concerns insecure permissions in the sunniwell HT3300 device, specifically with the /usr/local/bin/update program, which is used for software updates and has the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, allowing an attacker to pass commands via command line arguments to gain elevated root privileges.

Recommendations For sunniwell HT3300 versions before 1.0.0.B022.2, update to version 1.0.0.B022.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /usr/local/bin/update program to minimize the risk of exploitation.