#VU26286 OS Command Injection in Merit LILIN Ent. Co., Ltd. products
Published: March 21, 2020
Vulnerability identifier: #VU26286
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
DHD516A
DHD508A
DHD504A
DHD316A
DHD308A
DHD304A
DHD204
DHD204A
DHD208
DHD208A
DHD216
DHD216A
DHD516A
DHD508A
DHD504A
DHD316A
DHD308A
DHD304A
DHD204
DHD204A
DHD208
DHD208A
DHD216
DHD216A
Software vendor:
Merit LILIN Ent. Co., Ltd.
Merit LILIN Ent. Co., Ltd.
Description
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.
The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP. A remote authenticated user can inject and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).
Remediation
Install updates from vendor's website.