CVE-2024-7120

Name of the Vulnerable Software and Affected Versions Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90

Description A critical vulnerability was found in the Web Interface component of Raisecom devices, specifically in the file list base config.php. The manipulation of the template argument leads to os command injection, allowing remote attackers to execute arbitrary commands. The exploit has been disclosed to the public and may be used. The vulnerability can be exploited by initiating a remote attack, potentially allowing attackers to execute arbitrary code by injecting a specially crafted curl command.

Recommendations For Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 version 3.90, as a temporary workaround, consider disabling the list base config.php file or restricting access to the Web Interface until a patch is available. Avoid using the template argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.