CVE-2024-7469

Name of the Vulnerable Software and Affected Versions Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90

Description The issue is related to the function sslvpn config mod of the file /vpn/list vpn web custom.php in the web interface of the affected devices. It is caused by the failure to neutralize special elements used in the command when processing the template and stylenum parameters. This can lead to OS command injection, allowing a remote attacker to execute arbitrary commands. The attack can be initiated remotely.

Recommendations For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the sslvpn config mod function until a patch is available. Restrict access to the /vpn/list vpn web custom.php file to minimize the risk of exploitation. Avoid using the template and stylenum parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.