Name of the Vulnerable Software and Affected Versions:

Jointelli 5G CPE 21H01 firmware version 1.36

Description:

Jointelli 5G CPE 21H01 firmware version 1.36 contains a blind OS command injection issue. Multiple API endpoints are vulnerable, including `/ubus/?flag=set WPS pin`, `/ubus/?flag=netAppStar1`, and `/ubus/?flag=set wifi cfgs`. An authenticated attacker can execute arbitrary OS commands with root privileges by providing crafted inputs to the SSID, WPS, Traceroute, and Ping fields.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.