OS command injection in NETGEAR products - #VU10440
Published: February 9, 2018
Vulnerability identifier: #VU10440
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: NETGEAR
Affected software:
R6100
D7800
EX6200v2
R7800
R7500v2
R7500
R6100
D7800
EX6200v2
R7800
R7500v2
R7500
Detailed vulnerability description
The vulnerability allows an local root-privileged attacker to execute shell commands on the target system.
The weakness exists due to post-authentication command injection. A local attacker can inject and execute arbitrary commands with root privileges during short time window when WPS is activated.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to post-authentication command injection. A local attacker can inject and execute arbitrary commands with root privileges during short time window when WPS is activated.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to the latest version.