A command injection vulnerability in HNAP1/GetNetworkTomographySettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary code.

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteSettings API function, as demonstrated by shell metacharacters in the staticroute_list field.

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetSmartQoSSettings API function, as demonstrated by shell metacharacters in the smartqos_priority_devices field.

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWLanACLSettings API function, as demonstrated by shell metacharacters in the wl(0).(0)_maclist field.

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNTPServerSettings API function, as demonstrated by shell metacharacters in the system_time_timezone field.

An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNetworkTomographySettings API function, as demonstrated by shell metacharacters in the tomography_ping_number field.

The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.

Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker.

An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device.

The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.

A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.

Motorola MBTS Site Controller accepts hard-coded backdoor password. The Motorola MBTS Site Controller Man Machine Interface (MMI), allowing for service technicians to diagnose and configure the device, accepts a hard-coded backdoor password that cannot be changed or disabled.

Multiple buffer overflows in Motorola Timbuktu Pro before 8.6.5 for Windows allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via (1) a long user name and (2) certain malformed requests; and (3) allow remote Timbuktu servers to have an unknown impact via a malformed HELLO response, related to the Scanner component and possibly related to a malformed computer name.

The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to change the default credentials, the cappl and ace accounts remain undocumented and thus are unlikely to have their credentials changed.

The Motorola ACE1000 RTU through 2022-05-02 uses ECB encryption unsafely. It can communicate with an XRT LAN-to-radio gateway by means of an embedded client. Credentials for accessing this gateway are stored after being encrypted with the Tiny Encryption Algorithm (TEA) in ECB mode using a hardcoded key. Similarly, the ACE1000 RTU can route MDLC traffic over Extended Command and Management Protocol (XCMP) and Network Layer (XNL) networks via the MDLC driver. Authentication to the XNL port is protected by TEA in ECB mode using a hardcoded key.

The Motorola ACE1000 RTU through 2022-05-02 ships with a hardcoded SSH private key and initialization scripts (such as /etc/init.d/sshd_service) only generate a new key if no private-key file exists. Thus, this hardcoded key is likely to be used by default.

A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter.

A command injection vulnerability exists in Motorola CX2L router v1.0.2 and below. The vulnerability is present in the SetStationSettings function. The system directly invokes the system function to execute commands for setting parameters such as MAC address without proper input filtering. This allows malicious users to inject and execute arbitrary commands.

An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function downloadFirmware in hnap, which leads to remote code execution via shell metacharacters in a JSON value.

An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter.

totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.

LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to end-user/index.php.

mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.

A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument.

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter.

A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name.

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicoius users can use this vulnerability to use "\ " or backticks in the shell metacharacters in the ssid0 or ssid1 parameters to cause arbitrary command execution. Since CVE-2019-17510 vulnerability has not been patched and improved www/hnap1/control/setwizardconfig.php, can also use line breaks and backquotes to bypass.

Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.

Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicious users can use this vulnerability to use "\ " or backticks to bypass the shell metacharacters in the ssid0 or ssid1 parameters to execute arbitrary commands.This vulnerability is due to the fact that CVE-2019-17509 is not fully patched and can be bypassed by using line breaks or backticks on its basis.

OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340 provided by Y'S corporation. An attacker who can access the affected product may execute an arbitrary OS command.

An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.

The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter.

A vulnerability classified as critical has been found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This affects the function setDmzCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A remote unauthenticated user can execute commands as root in the Belkin N750 using firmware version 1.10.22 by sending a crafted HTTP request to twonky_command.cgi.

A vulnerability, which was classified as critical, was found in Tenda AC7 1200M 15.03.06.44. Affected is the function TendaTelnet of the file /goform/telnet. The manipulation of the argument lan_ip leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.

A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription.

A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd  leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A remote unauthenticated user can execute commands as root in the Belkin N750 using firmware version 1.10.22 by sending a crafted HTTP request to proxy.cgi.