#VU10434 OS command injection in NETGEAR products
Published: February 9, 2018
Vulnerability identifier: #VU10434
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
D8500
R6100
R6400v2
R6400
R8300
R8500
D8500
R6100
R6400v2
R6400
R8300
R8500
Software vendor:
NETGEAR
NETGEAR
Description
The vulnerability allows an local root-privileged attacker to execute shell commands on the target system.
The weakness exists due to post-authentication command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to post-authentication command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to the latest version.