CVE-2024-45242

EnGenius ENH1350EXT A8J-ENH1350EXT devices through 3.9.3.2_c1.9.51 allow (blind) OS Command Injection via shell metacharacters to the Ping or Speed Test utility. During the time of initial setup, the device creates an open unsecured network whose admin panel is configured with the default credentials of admin/admin. An unauthorized attacker in proximity to the Wi-Fi network can exploit this window of time to execute arbitrary OS commands with root-level permissions.
Configurations

No configuration.

History

28 Oct 2024, 19:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CWE CWE-78

25 Oct 2024, 12:56

Type Values Removed Values Added
Summary
  • (es) Los dispositivos EnGenius ENH1350EXT A8J-ENH1350EXT hasta 3.9.3.2_c1.9.51 permiten la inyección (ciega) de comandos del SO a través de metacaracteres de shell a la utilidad Ping o Speed Test. Durante el tiempo de configuración inicial, el dispositivo crea una red abierta no segura cuyo panel de administración está configurado con las credenciales predeterminadas de admin/admin. Un atacante no autorizado que se encuentre cerca de la red Wi-Fi puede aprovechar este lapso de tiempo para ejecutar comandos arbitrarios del SO con permisos de nivel raíz.

24 Oct 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-24 20:15

Updated : 2024-10-28 19:35


NVD link : CVE-2024-45242

Mitre link : CVE-2024-45242

CVE.ORG link : CVE-2024-45242


JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')