CVE-2024-5336

Name of the Vulnerable Software and Affected Versions Ruijie RG-UAC versions up to 20240516

Description The issue exists due to the lack of measures to neutralize special elements used in the operating system command. This allows a remote attacker to execute arbitrary commands by manipulating the phyport argument in the addVlan function of the /view/networkConfig/vlan/vlan add commit.php file, leading to os command injection. The exploit has been disclosed to the public and may be used.

Recommendations For versions up to 20240516, as a temporary workaround, consider restricting access to the /view/networkConfig/vlan/vlan add commit.php file until a patch is available. Avoid using the phyport argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.