Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-37564

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-13 Jul, 2023 | 03:01
Updated At-06 Nov, 2024 | 15:24
Rejected At-
Credits

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:13 Jul, 2023 | 03:01
Updated At:06 Nov, 2024 | 15:24
Rejected At:
▼CVE Numbering Authority (CNA)

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Affected Products
Vendor
Elecom Co., Ltd.ELECOM CO.,LTD.
Product
WRC-1167GHBK-S
Versions
Affected
  • v1.03 and earlier
Vendor
Elecom Co., Ltd.ELECOM CO.,LTD.
Product
WRC-1167GEBK-S
Versions
Affected
  • v1.03 and earlier
Vendor
Elecom Co., Ltd.ELECOM CO.,LTD.
Product
WRC-1167FEBK-S
Versions
Affected
  • v1.04 and earlier
Vendor
Elecom Co., Ltd.ELECOM CO.,LTD.
Product
WRC-1167GHBK3-A
Versions
Affected
  • v1.24 and earlier
Vendor
Elecom Co., Ltd.ELECOM CO.,LTD.
Product
WRC-1167FEBK-A
Versions
Affected
  • v1.18 and earlier
Problem Types
TypeCWE IDDescription
textN/AOS command injection
Type: text
CWE ID: N/A
Description: OS command injection
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.elecom.co.jp/news/security/20230711-01/
N/A
https://jvn.jp/en/jp/JVN05223215/
N/A
Hyperlink: https://www.elecom.co.jp/news/security/20230711-01/
Resource: N/A
Hyperlink: https://jvn.jp/en/jp/JVN05223215/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.elecom.co.jp/news/security/20230711-01/
x_transferred
https://jvn.jp/en/jp/JVN05223215/
x_transferred
Hyperlink: https://www.elecom.co.jp/news/security/20230711-01/
Resource:
x_transferred
Hyperlink: https://jvn.jp/en/jp/JVN05223215/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
Elecom Co., Ltd.elecom
Product
wrc-1167ghbk-s
CPEs
  • cpe:2.3:h:elecom:wrc-1167ghbk-s:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.03 (custom)
Vendor
Elecom Co., Ltd.elecom
Product
wrc-1167gebk-s
CPEs
  • cpe:2.3:h:elecom:wrc-1167gebk-s:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.03 (custom)
Vendor
Elecom Co., Ltd.elecom
Product
wrc-1167febk-s
CPEs
  • cpe:2.3:h:elecom:wrc-1167febk-s:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.04 (custom)
Vendor
Elecom Co., Ltd.elecom
Product
wrc-1167ghbk3-a
CPEs
  • cpe:2.3:h:elecom:wrc-1167ghbk3-a:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.24 (custom)
Vendor
Elecom Co., Ltd.elecom
Product
wrc-1167febk-a
CPEs
  • cpe:2.3:h:elecom:wrc-1167febk-a:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.18 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:13 Jul, 2023 | 04:15
Updated At:25 Jul, 2023 | 14:49

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.0HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Elecom Co., Ltd.
elecom
>>wrc-1167ghbk-s_firmware>>Versions up to 1.03(inclusive)
cpe:2.3:o:elecom:wrc-1167ghbk-s_firmware:*:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167ghbk-s>>-
cpe:2.3:h:elecom:wrc-1167ghbk-s:-:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167gebk-s_firmware>>Versions up to 1.03(inclusive)
cpe:2.3:o:elecom:wrc-1167gebk-s_firmware:*:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167gebk-s>>-
cpe:2.3:h:elecom:wrc-1167gebk-s:-:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167febk-s_firmware>>Versions up to 1.04(inclusive)
cpe:2.3:o:elecom:wrc-1167febk-s_firmware:*:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167febk-s>>-
cpe:2.3:h:elecom:wrc-1167febk-s:-:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167ghbk3-a_firmware>>Versions up to 1.24(inclusive)
cpe:2.3:o:elecom:wrc-1167ghbk3-a_firmware:*:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167ghbk3-a>>-
cpe:2.3:h:elecom:wrc-1167ghbk3-a:-:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167febk-a_firmware>>Versions up to 1.18(inclusive)
cpe:2.3:o:elecom:wrc-1167febk-a_firmware:*:*:*:*:*:*:*:*
Elecom Co., Ltd.
elecom
>>wrc-1167febk-a>>-
cpe:2.3:h:elecom:wrc-1167febk-a:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jvn.jp/en/jp/JVN05223215/vultures@jpcert.or.jp
Third Party Advisory
https://www.elecom.co.jp/news/security/20230711-01/vultures@jpcert.or.jp
Vendor Advisory
Hyperlink: https://jvn.jp/en/jp/JVN05223215/
Source: vultures@jpcert.or.jp
Resource:
Third Party Advisory
Hyperlink: https://www.elecom.co.jp/news/security/20230711-01/
Source: vultures@jpcert.or.jp
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

146Records found
CVE-2023-43752
Matching Score-10
Assigner-JPCERT/CC
ShareView Details
Matching Score-10
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.16% / 37.09%
||
7 Day CHG~0.00%
Published-16 Nov, 2023 | 06:46
Updated-02 Aug, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in WRC-X3000GS2-W v1.05 and earlier, WRC-X3000GS2-B v1.05 and earlier, and WRC-X3000GS2A-B v1.05 and earlier allows a network-adjacent authenticated user to execute an arbitrary OS command by sending a specially crafted request.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-x3000gs2-b_firmwarewrc-x3000gs2-bwrc-x3000gs2-w_firmwarewrc-x3000gs2-wwrc-x3000gs2a-b_firmwarewrc-x3000gs2a-bWRC-X3000GS2-WWRC-X3000GS2A-BWRC-X3000GS2-B
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20863
Matching Score-10
Assigner-JPCERT/CC
ShareView Details
Matching Score-10
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-1.24% / 78.41%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attackers to execute an arbitrary OS command with the root privilege via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-2533gs2-b_firmwarewrc-2533gst2-g_firmwarewrc-2533gst2_firmwarewrc-2533gst2spwrc-2533gst_firmwarewrc-2533gst2edwrc-2533gst2_firmwarewrc-1750gsv_firmwarewrc-1167gst2a_firmwarewrc-2533gsta_firmwarewrc-1167gst2awrc-1750gsvwrc-2533gs2-bwrc-2533gs2-w_firmwarewrc-1900gstwrc-1167gst2wrc-2533gst2sp_firmwarewrc-1750gs_firmwarewrc-2533gstawrc-2533gst2-gwrc-1750gswrc-1167gst2_firmwarewrc-2533gs2-wwrc-1900gst_firmwarewrc-2533gstwrc-1167gst2hwrc-1167gst2h_firmwareedwrc-2533gst2ELECOM routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20859
Matching Score-10
Assigner-JPCERT/CC
ShareView Details
Matching Score-10
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.33% / 54.92%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to execute an arbitrary OS command via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-2533gs2-b_firmwarewrc-2533gst2-g_firmwarewrc-2533gst2_firmwarewrc-2533gst2spwrc-2533gst_firmwarewrc-2533gst2edwrc-2533gst2_firmwarewrc-1750gsv_firmwarewrc-1167gst2a_firmwarewrc-2533gsta_firmwarewrc-1167gst2awrc-1750gsvwrc-2533gs2-bwrc-2533gs2-w_firmwarewrc-1900gstwrc-1167gst2wrc-2533gst2sp_firmwarewrc-1750gs_firmwarewrc-2533gstawrc-2533gst2-gwrc-1750gswrc-1167gst2_firmwarewrc-2533gs2-wwrc-1900gst_firmwarewrc-2533gstwrc-1167gst2hwrc-1167gst2h_firmwareedwrc-2533gst2ELECOM LAN routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38576
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.13% / 33.08%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:39
Updated-08 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an authenticated user to execute arbitrary OS commands on a certain management console.

Action-Not Available
Vendor-LOGITEC CORPORATIONlogitecElecom Co., Ltd.
Product-lan-wh300n\/relan-wh300n\/re_firmwareLAN-WH300N/RElan-wh300n_re
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-37566
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.50% / 64.93%
||
7 Day CHG~0.00%
Published-13 Jul, 2023 | 01:44
Updated-06 Nov, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-1167FEBK-A v1.18 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions.

Action-Not Available
Vendor-LOGITEC CORPORATIONElecom Co., Ltd.
Product-wrc-1167febk-a_firmwarewrc-1167ghbk3-a_firmwarewrc-1167febk-awrc-1167ghbk3-aWRC-1167FEBK-AWRC-1900GHBK-ALAN-W301NRWRC-1467GHBK-AWRC-F1167ACF2WRC-1167GHBK3-AWRC-733FEBK2-AWRC-600GHBK-Awrc-f1167acf2wrc-1467ghbk-awrc-600ghbk-alan-w301nrwrc-1167febk-awrc-733febk2-awrc-1900ghbk-awrc-1167ghbk3-a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-37565
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.15% / 35.87%
||
7 Day CHG~0.00%
Published-13 Jul, 2023 | 03:04
Updated-07 Nov, 2024 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Code injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute arbitrary code by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-1167ghbk-s_firmwarewrc-1167gebk-s_firmwarewrc-1167febk-s_firmwarewrc-1167gebk-swrc-1167febk-swrc-1167ghbk3-a_firmwarewrc-1167febk-a_firmwarewrc-1167febk-awrc-1167ghbk-swrc-1167ghbk3-aWRC-1167GHBK-SWRC-1167GEBK-SWRC-1167GHBK3-AWRC-1167FEBK-AWRC-1167FEBK-Swrc-1167gebk-swrc-1167febk-swrc-1167febk-awrc-1167ghbk-swrc-1167ghbk3-a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-37568
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.13% / 33.08%
||
7 Day CHG~0.00%
Published-13 Jul, 2023 | 01:48
Updated-05 Nov, 2024 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC-1167GEBK-S v1.03 and earlier allow a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-1167ghbk-s_firmwarewrc-1167ghbk-swrc-1167gebk-swrc-1167gebk-s_firmwareWRC-1167GEBK-SWRC-1167GHBK-Swrc-1167ghbk-swrc-1167gebk-s
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-26258
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.22% / 44.39%
||
7 Day CHG+0.06%
Published-04 Apr, 2024 | 00:03
Updated-26 Nov, 2024 | 08:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with credentials to execute arbitrary OS commands by sending a specially crafted request to the product.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-G01-WWRC-X3200GST3-BWRC-2533GST2WRC-1167GST2wrc-x3200gst3-b_firmwarewrc-g01-w_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-25579
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 36.48%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 23:08
Updated-03 Dec, 2024 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B".

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-2533GS2-BWRC-2533GS2-WWRC-1167GS2H-BWRC-2533GS2V-BWMC-X1800GST-BWRC-2533GST2WRC-X3200GST3-BWRC-G01-WWRC-1167GS2-BWRC-1167GST2wrc-2533gs2-b_firmwarewrc-1167gs2h-b_firmwarewmc-x1800gst-b_firmwarewrc-2533gst2_firmwarewrc-2533gs2v-b_firmwarewrc-x3200gst3-b_firmwarewrc-g01-w_firmwarewrc-1167gst2_firmwarewrc-2533gs2-w_firmwarewrc-1167gs2-b_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22372
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.17% / 39.11%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 04:38
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-x6000xs-g_firmwarewrc-x6000xs-gwrc-x1800gsa-b_firmwarewrc-x1800gs-b_firmwarewrc-x1800gsh-bwrc-x6000xst-g_firmwarewrc-x1800gsa-bwrc-x1800gs-bwrc-x6000xst-gwrc-x1800gsh-b_firmwareWRC-X3000GS2A-BWRC-X1800GSA-BWRC-X6000QS-GWRC-X6000QSA-GWRC-X1800GS-BWRC-XE5400GS-GWRC-XE5400GSA-GWRC-X1500GS-BWRC-X1500GSA-BWRC-X1800GSH-BWRC-X3000GS2-BWRC-X6000XS-GWRC-X3000GS2-WWRC-X6000XST-G
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20739
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.45%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 07:05
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, and WRH-300WH-S all versions allows an unauthenticated network-adjacent attacker to execute an arbitrary OS command via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrh-300svwrh-300wh_firmwarewrh-300bkwrc-733febk_firmwarewrh-h300wh_firmwarewrc-300febkwrh-h300whwrh-h300bk_firmwarewrc-f300nf_firmwarewrh-300sv_firmwarewrh-h300bkwrc-f300nfwrh-300wh-swrh-300bk-s_firmwarewrh-300bk_firmwarewrc-733febkwrh-300whwrh-300rd_firmwarewrc-300febk_firmwarewrh-300bk-swrh-300wh-s_firmwarewrh-300rdWRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, and WRH-300WH-S
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20648
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.30% / 52.40%
||
7 Day CHG~0.00%
Published-12 Feb, 2021 | 06:15
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-300febk-s_firmwarewrc-300febk-sWRC-300FEBK-S
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-39455
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-1.52% / 80.48%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:42
Updated-02 Aug, 2024 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-600GHBK-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-F1167ACF2 all versions, WRC-1467GHBK-S all versions, and WRC-1900GHBK-S all versions.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-f1167acf2wrc-1467ghbk-awrc-1900ghbk-s_firmwarewrc-f1167acf2_firmwarewrc-1467ghbk-a_firmwarewrc-1467ghbk-swrc-1467ghbk-s_firmwarewrc-1900ghbk-swrc-600ghbk-a_firmwarewrc-600ghbk-awrc-733febk2-a_firmwarewrc-733febk2-awrc-1900ghbk-a_firmwarewrc-1900ghbk-aWRC-1900GHBK-SWRC-1900GHBK-AWRC-1467GHBK-SWRC-1467GHBK-AWRC-F1167ACF2WRC-733FEBK2-AWRC-600GHBK-A
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-40069
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 78.15%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:44
Updated-08 Oct, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-F1167ACF all versions, WRC-1750GHBK all versions, WRC-1167GHBK2 all versions, WRC-1750GHBK2-I all versions, and WRC-1750GHBK-E all versions.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-1167ghbk2_firmwarewrc-f1167acfwrc-1750ghbk2-i_firmwarewrc-1750ghbk_firmwarewrc-1750ghbkwrc-1750ghbk-ewrc-f1167acf_firmwarewrc-1750ghbk2-iwrc-1167ghbk2wrc-1750ghbk-e_firmwareWRC-1750GHBKWRC-1167GHBK2WRC-1750GHBK-EWRC-F1167ACFWRC-1750GHBK2-Iwrc-1167ghbk2_firmwarewrc-1750ghbk2-i_firmwarewrc-1750ghbk_firmwarewrc-f1167acf_firmwarewrc-1750ghbk-e_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-40072
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-2.10% / 83.35%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:45
Updated-03 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wab-s300_firmwarewab-s600-ps_firmwarewab-s300wab-s600-psWAB-S600-PSWAB-S1167-PSWAB-M1775-PSWAB-S1775WAB-I1750-PSWAB-M2133WAB-S300WAB-S1167
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-49695
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.17% / 38.28%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:58
Updated-08 Oct, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in WRC-X3000GSN v1.0.2, WRC-X3000GS v1.0.24 and earlier, and WRC-X3000GSA v1.0.24 and earlier allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command by sending a specially crafted request to the product.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-x3000gsnwrc-x3000gsa_firmwarewrc-x3000gs_firmwarewrc-x3000gswrc-x3000gsn_firmwarewrc-x3000gsaWRC-X3000GSWRC-X3000GSNWRC-X3000GSAwrc-x3000gsn_firmwarewrc-x3000gsa_firmwarewrc-x3000gs_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-36103
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.19% / 41.07%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 00:34
Updated-02 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in WRC-X5400GS-B v1.0.10 and earlier, and WRC-X5400GSA-B v1.0.10 and earlier allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-X5400GSA-BWRC-X5400GS-Bwrc-x5400gsa-bwrc-x5400gs-b
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-53472
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.6||HIGH
EPSS-0.24% / 46.44%
||
7 Day CHG-0.01%
Published-22 Jul, 2025 | 09:30
Updated-22 Jul, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WRC-BE36QS-B and WRC-W701-B contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in WebGUI. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to WebGUI.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-W701-BWRC-BE36QS-B
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39607
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.57% / 67.67%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 01:17
Updated-17 Feb, 2025 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability exists in ELECOM wireless LAN routers. A specially crafted request may be sent to the affected product by a logged-in user with an administrative privilege to execute an arbitrary OS command.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-X1500GSA-BWRC-X6000QSA-GWRC-X3000GS2-WWRC-X1800GS-BWRC-XE5400GSA-GWRC-XE5400GS-GWRC-X1500GS-BWRC-X3000GS2A-BWRC-X6000XST-GWRC-X1800GSH-BWRC-X6000XS-GWRC-X3000GS2-BWRC-X1800GSA-BWRC-X6000QS-Gwrc-x1500gsa-b_firmwarewrc-x1500gs-b_firmwarewrc-x6000xs-g_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-25568
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.40% / 59.74%
||
7 Day CHG+0.10%
Published-04 Apr, 2024 | 00:02
Updated-01 Aug, 2024 | 23:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X3200GST3-B v1.25 and earlier, WRC-G01-W v1.24 and earlier, and WMC-X1800GST-B v1.41 and earlier. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B".

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-G01-WWMC-X1800GST-BWRC-X3200GST3-Bwrc-x3200gst3-b_firmwarewrc-g01-w_firmwarewmc-x1800gst-b
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-48890
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.75% / 72.11%
||
7 Day CHG~0.00%
Published-24 Jun, 2025 | 04:37
Updated-26 Jun, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in miniigd SOAP service. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRH-733GBKWRH-733GWH
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-43879
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.75% / 72.11%
||
7 Day CHG~0.00%
Published-24 Jun, 2025 | 04:37
Updated-26 Jun, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in the telnet function. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRH-733GBKWRH-733GWH
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-41427
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.51% / 65.25%
||
7 Day CHG~0.00%
Published-24 Jun, 2025 | 04:37
Updated-26 Jun, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-X3000GSWRC-X3000GSNWRC-X3000GSA
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20854
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.35% / 56.44%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrh-733gbk_firmwarewrh-733gwh_firmwarewrh-733gbkwrh-733gwhELECOM LAN routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-39944
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-1.32% / 79.05%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:43
Updated-08 Oct, 2024 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in WRC-F1167ACF all versions, and WRC-1750GHBK all versions allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-1750ghbk_firmwarewrc-f1167acf_firmwarewrc-f1167acfwrc-1750ghbkWRC-F1167ACFWRC-1750GHBKwrc_1750ghbkwrc_f1167acf
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20853
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.35% / 56.44%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrh-733gbk_firmwarewrh-733gwh_firmwarewrh-733gbkwrh-733gwhELECOM LAN routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-53375
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-20.75% / 95.38%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 00:00
Updated-17 Dec, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionality.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-n/aarcher_axe75_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52018
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.64% / 69.53%
||
7 Day CHG+0.01%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at genie_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-xr300_firmwarexr300n/axr300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.64% / 69.53%
||
7 Day CHG+0.01%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51253
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.27% / 50.38%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-10 Apr, 2025 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doL2TP function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.64% / 69.53%
||
7 Day CHG+0.01%
Published-05 Nov, 2024 | 00:00
Updated-22 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the sysNewPasswd parameter at admin_account.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51010
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.64% / 69.53%
||
7 Day CHG+0.01%
Published-05 Nov, 2024 | 00:00
Updated-21 May, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component ap_mode.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500_firmwarer6400v2_firmwarer8500r7000pr7000p_firmwarexr300xr300_firmwarer6400v2n/axr300_firmwarer8500_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51005
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.64% / 69.53%
||
7 Day CHG+0.01%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the share_name parameter at usb_remote_smb_conf.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48633
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.43% / 61.80%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtualServerSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48632
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.43% / 61.80%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-44171
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9||CRITICAL
EPSS-0.26% / 48.83%
||
7 Day CHG~0.00%
Published-10 Oct, 2022 | 00:00
Updated-25 Oct, 2024 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosFortinet FortiOS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-45887
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-2.52% / 84.80%
||
7 Day CHG-0.82%
Published-04 Nov, 2024 | 00:00
Updated-10 Apr, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `doOpenVPN.`

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-45893
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-2.52% / 84.80%
||
7 Day CHG-0.82%
Published-04 Nov, 2024 | 00:00
Updated-10 Apr, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMOption.`

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-44678
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.34% / 79.23%
||
7 Day CHG-0.36%
Published-25 Sep, 2024 | 00:00
Updated-26 Sep, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gigastone TR1 Travel Router R101 v1.0.2 is vulnerable to Command Injection. This allows an authenticated attacker to execute arbitrary commands on the device by sending a crafted HTTP request to the ssid parameter in the request.

Action-Not Available
Vendor-n/agigastone
Product-n/atravel_router_r101_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-44844
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-9.59% / 92.56%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 00:00
Updated-11 Sep, 2024 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-42633
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-11.01% / 93.15%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 00:00
Updated-20 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Command Injection vulnerability exists in the do_upgrade_post function of the httpd binary in Linksys E1500 v1.0.06.001. As a result, an authenticated attacker can execute OS commands with root privileges.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-e1500_firmwaree1500n/ae1500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-41473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-88.80% / 99.49%
||
7 Day CHG~0.00%
Published-25 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-n/afh1201_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48629
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.06% / 76.74%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48636
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.06% / 76.74%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-3.14% / 86.34%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ac7ac7_firmwaren/aac7_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-35031
Matching Score-4
Assigner-Zyxel Corporation
ShareView Details
Matching Score-4
Assigner-Zyxel Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.08% / 25.46%
||
7 Day CHG~0.00%
Published-28 Dec, 2021 | 10:36
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands via the GUI of the vulnerable device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-gs1900-24hpv2_firmwaregs1900-10hpxgs1250-12gs1900-24_firmwaregs1900-24e_firmwaregs1900-8gs1900-48hpgs1900-8hp_firmwaregs1900-48_firmwaregs1900-48hpv2_firmwaregs1900-48hpv2gs1900-24epgs1900-24ep_firmwarexgs1210-12xgs1250-12_firmwaregs1900-24hp_firmwaregs1900-24gs1900-8hpgs1900-24egs1900-24hpv2gs1900-8_firmwaregs1900-48gs1900-48hp_firmwaregs1900-16_firmwaregs1900-10hp_firmwaregs1900-16xgs1210-12_firmwaregs1900-24hpGS1900 series firmwareXGS1210 series firmwareXGS1250 series firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-31977
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.46% / 62.96%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 00:00
Updated-04 Sep, 2024 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility.

Action-Not Available
Vendor-n/aAdtran, Inc
Product-834-5_firmwaresdg_smartos834-5n/a834-5_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-31976
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.28% / 50.73%
||
7 Day CHG~0.00%
Published-27 Nov, 2024 | 00:00
Updated-29 Nov, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EnGenius EWS356-FIR 1.1.30 and earlier devices allow a remote attacker to execute arbitrary OS commands via the Controller connectivity parameter.

Action-Not Available
Vendor-n/aengenius
Product-n/aews356_fit_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-27521
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-2.44% / 84.56%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 00:00
Updated-09 Aug, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user "root").

Action-Not Available
Vendor-n/aTOTOLINK
Product-n/aa3300r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-25851
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.38% / 58.83%
||
7 Day CHG~0.00%
Published-22 Feb, 2024 | 00:00
Updated-03 Apr, 2025 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netis WF2780 v2.1.40144 was discovered to contain a command injection vulnerability via the config_sequence parameter in other_para of cgitest.cgi.

Action-Not Available
Vendor-n/aNetis Systems Co., Ltd.
Product-wf2780_firmwarewf2780n/awf2780_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found