#VU86168 Improper access control in Omada ER605
Vulnerability identifier: #VU86168
Vulnerability risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Omada ER605
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor:
Description
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper handling of the name field in the access control user interface. A remote administrator on the local network can bypass implemented security restrictions and execute arbitrary code on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://www.zerodayinitiative.com/advisories/ZDI-24-086/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
