OS command injection in NETGEAR products - #VU10438
Published: February 9, 2018
Vulnerability identifier: #VU10438
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: NETGEAR
Affected software:
D6220
D8500
D6400
R6250
R6400
R6400v2
R6700
R6900P
R6900
R7000P
R7000
R7100LG
R7300DST
R7900
R8000
R8300
R8500
D6220
D8500
D6400
R6250
R6400
R6400v2
R6700
R6900P
R6900
R7000P
R7000
R7100LG
R7300DST
R7900
R8000
R8300
R8500
Detailed vulnerability description
The vulnerability allows an local attacker to execute shell commands on the target system.
The weakness exists due to command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to the latest version.