Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-38471

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-04 Jul, 2024 | 00:49
Updated At-13 Mar, 2025 | 13:17
Rejected At-
Credits

Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:04 Jul, 2024 | 00:49
Updated At:13 Mar, 2025 | 13:17
Rejected At:
▼CVE Numbering Authority (CNA)

Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.

Affected Products
Vendor
TP-Link Systems Inc.TP-LINK
Product
Archer AX3000
Versions
Affected
  • firmware versions prior to "Archer AX3000(JP)_V1_1.1.3 Build 20240415"
Vendor
TP-Link Systems Inc.TP-LINK
Product
Archer AXE75
Versions
Affected
  • firmware versions prior to "Archer AXE75(JP)_V1_1.2.0 Build 20240320"
Vendor
TP-Link Systems Inc.TP-LINK
Product
Archer AX5400
Versions
Affected
  • firmware versions prior to "Archer AX5400(JP)_V1_1.1.4 Build 20240429"
Vendor
TP-Link Systems Inc.TP-LINK
Product
Archer Air R5
Versions
Affected
  • firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
Vendor
TP-Link Systems Inc.TP-LINK
Product
Archer AXE5400
Versions
Affected
  • firmware versions prior to "Archer AXE5400(JP)_V1_1.0.3 Build 20240319"
Problem Types
TypeCWE IDDescription
textN/AOS command injection
Type: text
CWE ID: N/A
Description: OS command injection
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.tp-link.com/jp/support/download/
N/A
https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
N/A
https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
N/A
https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
N/A
https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
N/A
https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
N/A
https://jvn.jp/en/vu/JVNVU99784493/
N/A
Hyperlink: https://www.tp-link.com/jp/support/download/
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
Resource: N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU99784493/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
TP-Link Systems Inc.tp-link
Product
archer_ax3000_firmware
CPEs
  • cpe:2.3:o:tp-link:archer_ax3000_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before v1_1.1.3_build_20240415 (custom)
Vendor
TP-Link Systems Inc.tp-link
Product
archer_axe75_firmware
CPEs
  • cpe:2.3:o:tp-link:archer_axe75_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before v1_1.2.0_build_20240320 (custom)
Vendor
TP-Link Systems Inc.tp-link
Product
archer_ax5400_firmware
CPEs
  • cpe:2.3:o:tp-link:archer_ax5400_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before v1_1.1.4_build_20240429 (custom)
Vendor
TP-Link Systems Inc.tp-link
Product
archer_axe5400_firmware
CPEs
  • cpe:2.3:o:tp-link:archer_axe5400_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before v1_1.0.3_build_20240319 (custom)
Vendor
TP-Link Systems Inc.tp-link
Product
archer_airr5_firmware
CPEs
  • cpe:2.3:o:tp-link:archer_airr5_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before v1_1.0.3_build_20240319 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.16.8MEDIUM
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.tp-link.com/jp/support/download/
x_transferred
https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
x_transferred
https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
x_transferred
https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
x_transferred
https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
x_transferred
https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
x_transferred
https://jvn.jp/en/vu/JVNVU99784493/
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/
Resource:
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
Resource:
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
Resource:
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
Resource:
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
Resource:
x_transferred
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
Resource:
x_transferred
Hyperlink: https://jvn.jp/en/vu/JVNVU99784493/
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:04 Jul, 2024 | 01:15
Updated At:13 Mar, 2025 | 14:15

Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.8MEDIUM
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jvn.jp/en/vu/JVNVU99784493/vultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/vultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmwarevultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmwarevultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmwarevultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmwarevultures@jpcert.or.jp
N/A
https://www.tp-link.com/jp/support/download/archer-axe75/#Firmwarevultures@jpcert.or.jp
N/A
https://jvn.jp/en/vu/JVNVU99784493/af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmwareaf854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmwareaf854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmwareaf854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmwareaf854a3a-2127-422b-91ae-364da2661108
N/A
https://www.tp-link.com/jp/support/download/archer-axe75/#Firmwareaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU99784493/
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU99784493/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-air-r5/v1/#Firmware
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax3000/#Firmware
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-ax5400/#Firmware
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe5400/#Firmware
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.tp-link.com/jp/support/download/archer-axe75/#Firmware
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

119Records found
CVE-2024-41585
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.94% / 75.32%
||
7 Day CHG~0.00%
Published-03 Oct, 2024 | 00:00
Updated-07 Oct, 2024 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject arbitrary commands into the host machine.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-n/avigor3910_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-41315
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.69% / 81.50%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 00:00
Updated-03 Apr, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a6000r_firmwarea6000rn/aa6000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-40893
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.8||MEDIUM
EPSS-1.36% / 79.40%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 18:49
Updated-21 Aug, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Firewalla BTLE Authenticated Command Injection

Multiple authenticated operating system (OS) command injection vulnerabilities exist in Firewalla Box Software versions before 1.979. A physically close attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes.

Action-Not Available
Vendor-Firewallafirewalla
Product-Box Softwarebox_software
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-41314
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-1.69% / 81.50%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 00:00
Updated-03 Apr, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a6000r_firmwarea6000rn/aa6000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39607
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.57% / 67.68%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 01:17
Updated-17 Feb, 2025 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability exists in ELECOM wireless LAN routers. A specially crafted request may be sent to the affected product by a logged-in user with an administrative privilege to execute an arbitrary OS command.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-X1500GSA-BWRC-X6000QSA-GWRC-X3000GS2-WWRC-X1800GS-BWRC-XE5400GSA-GWRC-XE5400GS-GWRC-X1500GS-BWRC-X3000GS2A-BWRC-X6000XST-GWRC-X1800GSH-BWRC-X6000XS-GWRC-X3000GS2-BWRC-X1800GSA-BWRC-X6000QS-Gwrc-x1500gsa-b_firmwarewrc-x1500gs-b_firmwarewrc-x6000xs-g_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-35519
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.4||HIGH
EPSS-0.60% / 68.63%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear EX6120 v1.0.0.68, Netgear EX6100 v1.0.2.28, and Netgear EX3700 v1.0.0.96 are vulnerable to command injection in operating_mode.cgi via the ap_mode parameter.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-ex6100_firmwareex6120ex6100ex6120_firmwareex3700ex3700_firmwaren/aex6100ex3700ex6120
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-28767
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.08% / 25.39%
||
7 Day CHG+0.01%
Published-20 Dec, 2024 | 13:48
Updated-15 Aug, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Directory Integrator command execution

IBM Security Directory Integrator 7.2.0 through 7.2.0.13 and 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Action-Not Available
Vendor-IBM Corporation
Product-security_directory_integratorSecurity Directory Integrator
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-25579
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 36.48%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 23:08
Updated-03 Dec, 2024 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B".

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-WRC-2533GS2-BWRC-2533GS2-WWRC-1167GS2H-BWRC-2533GS2V-BWMC-X1800GST-BWRC-2533GST2WRC-X3200GST3-BWRC-G01-WWRC-1167GS2-BWRC-1167GST2wrc-2533gs2-b_firmwarewrc-1167gs2h-b_firmwarewmc-x1800gst-b_firmwarewrc-2533gst2_firmwarewrc-2533gs2v-b_firmwarewrc-x3200gst3-b_firmwarewrc-g01-w_firmwarewrc-1167gst2_firmwarewrc-2533gs2-w_firmwarewrc-1167gs2-b_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21154
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 34.08%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 17:11
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.34, DM200 before 1.0.0.50, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7500v2 before 1.0.3.26, and R7800 before 1.0.2.42.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7500_firmwared7800_firmwaredm200r7800r6100r7800_firmwared7800r6100_firmwaredm200_firmwarer7500n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-66.19% / 98.46%
||
7 Day CHG~0.00%
Published-27 Nov, 2024 | 00:00
Updated-29 Nov, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n/an150rt_firmwaren300rt_firmwarea3002ru_firmwaren302re_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21110
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 35.42%
||
7 Day CHG~0.00%
Published-23 Apr, 2020 | 19:38
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7800r7800_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21104
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 35.42%
||
7 Day CHG~0.00%
Published-23 Apr, 2020 | 18:33
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7800r7800_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22372
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.17% / 39.11%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 04:38
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-x6000xs-g_firmwarewrc-x6000xs-gwrc-x1800gsa-b_firmwarewrc-x1800gs-b_firmwarewrc-x1800gsh-bwrc-x6000xst-g_firmwarewrc-x1800gsa-bwrc-x1800gs-bwrc-x6000xst-gwrc-x1800gsh-b_firmwareWRC-X3000GS2A-BWRC-X1800GSA-BWRC-X6000QS-GWRC-X6000QSA-GWRC-X1800GS-BWRC-XE5400GS-GWRC-XE5400GSA-GWRC-X1500GS-BWRC-X1500GSA-BWRC-X1800GSH-BWRC-X3000GS2-BWRC-X6000XS-GWRC-X3000GS2-WWRC-X6000XST-G
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 34.08%
||
7 Day CHG~0.00%
Published-28 Apr, 2020 | 16:37
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7000 before 1.0.1.60, D7800 before 1.0.1.34, D8500 before 1.0.3.39, R6700 before 1.0.1.30, R6700v2 before 1.2.0.16, R6800 before 1.2.0.16, R6900 before 1.0.1.30, R6900P before 1.2.0.22, R6900v2 before 1.2.0.16, R7000 before 1.0.9.12, R7000P before 1.2.0.22, R7500v2 before 1.0.3.20, R7800 before 1.0.2.44, R8300 before 1.0.2.106, R8500 before 1.0.2.106, and R9000 before 1.0.2.52.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-d7800_firmwared7000r8500r9000_firmwared8500d7000_firmwarer6700r8300_firmwarer7000r6900pd7800r6900r7000pr7500r9000r6900p_firmwarer7500_firmwarer6800r8300r8500_firmwarer6900_firmwarer7800r7000_firmwarer7800_firmwarer6700_firmwared8500_firmwarer6800_firmwarer7000p_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21152
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 35.42%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 17:09
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.34, R7500v2 before 1.0.3.26, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WNDR4300v2 before 1.0.0.54, and WNDR4500v3 before 1.0.0.54.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7500_firmwared7800_firmwarer7800r8900r9000_firmwarewndr4500r9000r8900_firmwarewndr4300r7800_firmwarewndr4500_firmwared7800r7500wndr4300_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22366
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.8||MEDIUM
EPSS-0.08% / 25.12%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 04:35
Updated-20 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered. Affected products and versions are as follows: WLX222 firmware Rev.24.00.03 and earlier, WLX413 firmware Rev.22.00.05 and earlier, WLX212 firmware Rev.21.00.12 and earlier, WLX313 firmware Rev.18.00.12 and earlier, and WLX202 firmware Rev.16.00.18 and earlier.

Action-Not Available
Vendor-yamahaYamaha Corporation
Product-wlx313wlx222wlx212wlx413_firmwarewlx222_firmwarewlx313_firmwarewlx413wlx212_firmwarewlx202wlx202_firmwareWLX202WLX222WLX212WLX413WLX313
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22065
Matching Score-4
Assigner-ZTE Corporation
ShareView Details
Matching Score-4
Assigner-ZTE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.49% / 64.59%
||
7 Day CHG+0.03%
Published-29 Oct, 2024 | 01:58
Updated-28 Jan, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZTE MF258 Pro product has a OS Command injection vulnerability

There is a command injection vulnerability in ZTE MF258 Pro product. Due to insufficient validation of Ping Diagnosis interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands.

Action-Not Available
Vendor-ZTE Corporation
Product-mf258k_pro_firmwaremf258k_proMF258 Promf258_pro_firmware
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-57024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-2.05% / 83.13%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 00:00
Updated-07 Apr, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in setWiFiScheduleCfg.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x5000r_firmwarex5000rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-56132
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-8.4||HIGH
EPSS-0.26% / 49.29%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 18:01
Updated-31 Jul, 2025 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects:  Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive)    From 7.2.49.0 to 7.2.54.12 (inclusive)    7.2.48.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)

Action-Not Available
Vendor-Progress Software Corporation
Product-multi-tenant_loadmasterloadmasterLoadMaster
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found