CVE-2016-15047

Name of the Vulnerable Software and Affected Versions AVTECH devices (affected versions not specified)

Description AVTECH devices that include the CloudSetup.cgi management endpoint are susceptible to authenticated OS command injection. The exefile parameter within the ''CloudSetup.cgi'' endpoint is passed to the underlying system command execution without sufficient validation or whitelisting. An authenticated attacker capable of invoking this endpoint can provide crafted input to execute arbitrary system commands as root. Successful exploitation can grant full control of the device, potentially enabling credential theft, lateral movement, or data exfiltration, depending on the deployment and network access of the device.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.