CVE-2024-53939.txt

An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint is vulnerable to
> command injection through the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute arbitrary commands on the device (with root-level permissions) via crafted input.
>
> ------------------------------------------
>
> [Vulnerability Type Other]
> CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
>
> ------------------------------------------
>
> [Vendor of Product]
> Victure
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Product Name: Victure RX1800 WiFi 6 Router - Software Version: EN_V1.0.0_r12_110933
>
> ------------------------------------------
>
> [Affected Component]
> /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint, vulnerable to command injection
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Command Injection on Dual Frequency Endpoint: The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint allows command injection via the parameters used to name the 2.4 GHz and 5 GHz Wi-Fi networks. By sending malicious payloads through these parameters, an attacker can execute arbitrary commands on the device.
>
> ------------------------------------------
>
> [Reference]
> https://www.newegg.com/p/2W6-002R-00004
> https://github.com/actuator/cve/tree/main/Victure
>
> ------------------------------------------
>
> [Discoverer]
> Edward Warren