CVE-2024-50374

Name of the Vulnerable Software and Affected Versions: Advantech EKI-6333AC-2G versions 1.6.3 and earlier Advantech EKI-6333AC-2GD versions 1.6.3 and earlier Advantech EKI-6333AC-1GPO versions 1.2.1 and earlier

Description: A vulnerability was discovered in the "capture packages" operation of Advantech's EKI-6333AC series devices, which can be exploited by remote unauthenticated users to execute malicious commands with root privileges. The issue is related to the improper neutralization of special elements used in an OS command, allowing attackers to inject arbitrary commands. No authentication is required to interact with the vulnerable "edgserver" service, which is enabled by default on the access points.

Recommendations: For Advantech EKI-6333AC-2G versions 1.6.3 and earlier, consider disabling the "edgserver" service or restricting access to it until a patch is available. For Advantech EKI-6333AC-2GD versions 1.6.3 and earlier, consider disabling the "edgserver" service or restricting access to it until a patch is available. For Advantech EKI-6333AC-1GPO versions 1.2.1 and earlier, consider disabling the "edgserver" service or restricting access to it until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.