Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-51246

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-04 Nov, 2024 | 00:00
Updated At-04 Nov, 2024 | 17:03
Rejected At-
Credits

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:04 Nov, 2024 | 00:00
Updated At:04 Nov, 2024 | 17:03
Rejected At:
▼CVE Numbering Authority (CNA)

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf
N/A
Hyperlink: https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
DrayTek Corp.draytek
Product
vigor3900_firmware
CPEs
  • cpe:2.3:o:draytek:vigor3900_firmware:1.5.1.3:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.5.1.3
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.18.0HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:04 Nov, 2024 | 14:15
Updated At:11 Apr, 2025 | 15:06

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.0HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
DrayTek Corp.
draytek
>>vigor3900_firmware>>1.5.1.3
cpe:2.3:o:draytek:vigor3900_firmware:1.5.1.3:*:*:*:*:*:*:*
DrayTek Corp.
draytek
>>vigor3900>>-
cpe:2.3:h:draytek:vigor3900:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdfcve@mitre.org
Broken Link
Hyperlink: https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf
Source: cve@mitre.org
Resource:
Broken Link

Change History

0
Information is not available yet

Similar CVEs

156Records found
CVE-2023-40193
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.09% / 25.69%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 09:22
Updated-26 Sep, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Deco M4 firmware versions prior to 'Deco M4(JP)_V2_1.5.8 Build 20230619' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-TP-Link Systems Inc.
Product-deco_m4deco_m4_firmwareDeco M4deco_m4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-25894
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.05% / 15.17%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 00:00
Updated-02 May, 2025 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An OS command injection vulnerability was discovered in D-Link DSL-3782 v1.01 via the samba_wg and samba_nbn parameters. This vulnerability allows attackers to execute arbitrary operating system (OS) commands via a crafted packet.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dsl-3782dsl-3782_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-24817
Matching Score-4
Assigner-Nokia
ShareView Details
Matching Score-4
Assigner-Nokia
CVSS Score-8||HIGH
EPSS-0.06% / 19.67%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 15:09
Updated-22 Apr, 2026 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An OS Command Injection vulnerability in Nokia MantaRay NM

Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application.

Action-Not Available
Vendor-Nokia Corporation
Product-mantaray_nmMantaRay NM
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-27367
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8||HIGH
EPSS-0.39% / 59.87%
||
7 Day CHG+0.18%
Published-03 May, 2024 | 01:56
Updated-03 Jan, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability

NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the libcms_cli module. The issue results from the lack of proper validation of a user-supplied command before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19838.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-rax30_firmwarerax30RAX30rax30_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-27356
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-6.8||MEDIUM
EPSS-0.39% / 60.13%
||
7 Day CHG+0.13%
Published-03 May, 2024 | 01:56
Updated-03 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability

NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the logCtrl action. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19825.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-raxe300rax30_firmwarerax30raxe300_firmwareRAX30rax30_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-2625
Matching Score-4
Assigner-Hitachi Energy
ShareView Details
Matching Score-4
Assigner-Hitachi Energy
CVSS Score-9||CRITICAL
EPSS-0.17% / 37.49%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 16:15
Updated-04 Dec, 2024 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-txpert_hub_coretec_4_firmwaretxpert_hub_coretec_4TXpert Hub CoreTec 4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-15568
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-8.5||HIGH
EPSS-0.15% / 34.64%
||
7 Day CHG-0.04%
Published-09 Mar, 2026 | 16:19
Updated-06 May, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability on TP-Link Archer AXE75

A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device. This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107.

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-archer_axe75archer_axe75_firmwareArcher AXE75 v1.6/v1.0
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-14737
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-7.1||HIGH
EPSS-0.29% / 52.45%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 18:00
Updated-26 Feb, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in TP-Link WA850RE

Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-tl-wa850retl-wa850re_firmwareWA850RE
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-5534
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.23% / 45.52%
||
7 Day CHG~0.00%
Published-21 Feb, 2020 | 09:15
Updated-04 Aug, 2024 | 08:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.

Action-Not Available
Vendor-NEC Corporation
Product-aterm_wg2600hs_firmwareaterm_wg2600hsAterm WG2600HS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-22304
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-1.73% / 82.55%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in PIX-RT100 versions RT100_TEQ_2.1.1_EQ101 and RT100_TEQ_2.1.2_EQ101 allows a network-adjacent attacker who can access product settings to execute an arbitrary OS command.

Action-Not Available
Vendor-pixelaPIXELA CORPORATION
Product-pix-rt100_firmwarepix-rt100PIX-RT100
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21099
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.6||HIGH
EPSS-0.35% / 57.26%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 17:05
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r7800r7800_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38588
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.08% / 23.01%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 09:23
Updated-26 Sep, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-TP-Link Systems Inc.
Product-archer_c3150_firmwarearcher_c3150Archer C3150archer_c3150_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-32350
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8||HIGH
EPSS-0.30% / 53.00%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 15:14
Updated-16 Jan, 2025 | 21:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.

Action-Not Available
Vendor-teltonika-networksTeltonika
Product-rut300rut955_firmwarerutx11_firmwarerut950rutxr1rut956rut241rutx08rutx09rut300_firmwarerutx12_firmwarerut901rutx10rut360rutx50rut951_firmwarerutx08_firmwarerutx14rut951rutx10_firmwarerut240_firmwarerutx09_firmwarerutx12rut360_firmwarerut956_firmwarerut200_firmwarerutx50_firmwarerut955rutx11rut241_firmwarerut950_firmwarerut901_firmwarerutx14_firmwarerutxr1_firmwarerut240rut200RUT model routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-5785
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8||HIGH
EPSS-0.29% / 52.08%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 12:13
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection vulnerability in Comtrend router

Command injection vulnerability in Comtrend router WLD71-T1_v2.0.201820, affecting the GRG-4280us version. This vulnerability could allow an authenticated user to execute commands inside the router by making a POST request to the URL “/boaform/admin/formUserTracert”.

Action-Not Available
Vendor-Comtrendcomtrend
Product-Comtrend WLD71-T1_v2.0.201820wld71-t1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-24581
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-89.07% / 99.54%
||
7 Day CHG~0.00%
Published-22 Dec, 2020 | 18:05
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It contains an execute_cmd.cgi feature (that is not reachable via the web user interface) that lets an authenticated user execute Operating System commands.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dsl2888adsl2888a_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-57357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-12.20% / 93.89%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 00:00
Updated-03 Jul, 2025 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in TPLINK TL-WPA 8630 TL-WPA8630(US)_V2_2.0.4 Build 20230427 allows a remote attacker to execute arbitrary code via function sub_4256CC, which allows command injection by injecting 'devpwd'.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wpa8630tl-wpa8630_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-5461
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-8.6||HIGH
EPSS-0.12% / 31.15%
||
7 Day CHG~0.00%
Published-15 Feb, 2025 | 00:06
Updated-23 Feb, 2026 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command or parameter injection via unique embedded switch SNMP commands.

Implementation of the Simple Network Management Protocol (SNMP) operating on the Brocade 6547 (FC5022) embedded switch blade, makes internal script calls to system.sh from within the SNMP binary. An authenticated attacker could perform command or parameter injection on SNMP operations that are only enabled on the Brocade 6547 (FC5022) embedded switch. This injection could allow the authenticated attacker to issue commands as Root.

Action-Not Available
Vendor-Brocade Communications Systems, Inc. (Broadcom Inc.)Broadcom Inc.
Product-fabric_operating_systembrocade_6547Brocade Fabric OS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-15631
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8||HIGH
EPSS-1.74% / 82.65%
||
7 Day CHG~0.00%
Published-23 Jul, 2020 | 20:45
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 1.04B03_HOTFIX WiFi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction header, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10084.

Action-Not Available
Vendor-D-Link Corporation
Product-dap-1860dap-1860_firmwareDAP-1860
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-53375
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-71.14% / 98.73%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authenticated Remote Code Execution (RCE) vulnerability affects the TP-Link Archer router series. A vulnerability exists in the "tmp_get_sites" function of the HomeShield functionality provided by TP-Link. This vulnerability is still exploitable without the activation of the HomeShield functionality.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-n/aarcher_axe75_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52020
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.37% / 58.71%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at wiz_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/axr300_firmwarer8500_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20863
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-1.24% / 79.36%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attackers to execute an arbitrary OS command with the root privilege via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-2533gs2-b_firmwarewrc-2533gst2-g_firmwarewrc-2533gst2_firmwarewrc-2533gst2spwrc-2533gst_firmwarewrc-2533gst2edwrc-2533gst2_firmwarewrc-1750gsv_firmwarewrc-1167gst2a_firmwarewrc-2533gsta_firmwarewrc-1167gst2awrc-1750gsvwrc-2533gs2-bwrc-2533gs2-w_firmwarewrc-1900gstwrc-1167gst2wrc-2533gst2sp_firmwarewrc-1750gs_firmwarewrc-2533gstawrc-2533gst2-gwrc-1750gswrc-1167gst2_firmwarewrc-2533gs2-wwrc-1900gst_firmwarewrc-2533gstwrc-1167gst2hwrc-1167gst2h_firmwareedwrc-2533gst2ELECOM routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.39% / 59.83%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52021
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.37% / 58.71%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at bsw_fix.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/axr300_firmwarer8500_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20859
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.33% / 55.58%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 02:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to execute an arbitrary OS command via unspecified vectors.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-wrc-2533gs2-b_firmwarewrc-2533gst2-g_firmwarewrc-2533gst2_firmwarewrc-2533gst2spwrc-2533gst_firmwarewrc-2533gst2edwrc-2533gst2_firmwarewrc-1750gsv_firmwarewrc-1167gst2a_firmwarewrc-2533gsta_firmwarewrc-1167gst2awrc-1750gsvwrc-2533gs2-bwrc-2533gs2-w_firmwarewrc-1900gstwrc-1167gst2wrc-2533gst2sp_firmwarewrc-1750gs_firmwarewrc-2533gstawrc-2533gst2-gwrc-1750gswrc-1167gst2_firmwarewrc-2533gs2-wwrc-1900gst_firmwarewrc-2533gstwrc-1167gst2hwrc-1167gst2h_firmwareedwrc-2533gst2ELECOM LAN routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52018
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.40% / 60.74%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at genie_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-xr300_firmwarexr300n/axr300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51009
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.06% / 77.79%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at ether.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-43.27% / 97.52%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 00:00
Updated-22 Nov, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DI-8200 16.07.26A1 is vulnerable to remote command execution in the msp_info_htm function via the flag parameter and cmd parameter.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-di-8200di-8200_firmwaren/adi-8200_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-51024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.10% / 26.40%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-07 May, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the HostName parameter in the SetWanSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-823g_firmwaredir-823gn/adir_823g_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51005
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.71% / 72.36%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the share_name parameter at usb_remote_smb_conf.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51010
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.71% / 72.36%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-21 May, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component ap_mode.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500_firmwarer6400v2_firmwarer8500r7000pr7000p_firmwarexr300xr300_firmwarer6400v2n/axr300_firmwarer8500_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.71% / 72.36%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at wiz_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-xr300_firmwarexr300n/axr300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48826
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-5.14% / 89.93%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ac7ac7_firmwaren/aac7_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-2.72% / 86.02%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ac7ac7_firmwaren/aac7_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.06% / 77.79%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-22 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the sysNewPasswd parameter at admin_account.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51021
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.43% / 62.36%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-21 May, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 was discovered to contain a command injection vulnerability via the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r6400v2_firmwarer7000pr7000p_firmwarexr300_firmwarexr300r6400v2n/axr300_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48635
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-3.69% / 88.00%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48630
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.25% / 48.55%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48637
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48632
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.25% / 48.55%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48633
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.25% / 48.55%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtualServerSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48631
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48638
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SubnetMask parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48629
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-31976
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.32% / 54.58%
||
7 Day CHG~0.00%
Published-27 Nov, 2024 | 00:00
Updated-26 Jan, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EnGenius EWS356-FIR 1.1.30 and earlier devices allow a remote attacker to execute arbitrary OS commands via the Controller connectivity parameter.

Action-Not Available
Vendor-engeniustechn/aengenius
Product-ews356-firews356-fir_firmwaren/aews356_fit_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-5525
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.23% / 45.52%
||
7 Day CHG~0.00%
Published-21 Feb, 2020 | 09:15
Updated-04 Aug, 2024 | 08:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.

Action-Not Available
Vendor-NEC Corporation
Product-aterm_wg1200craterm_wf1200c_firmwareaterm_wg1200cr_firmwareaterm_wg2600hs_firmwareaterm_wf1200caterm_wg2600hsAterm series
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48636
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 74.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 00:00
Updated-07 May, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-878_firmwaredir-882dir-882_firmwaredir-878n/adir-882_firmwaredir-878_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-43443
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8||HIGH
EPSS-0.96% / 76.54%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 00:00
Updated-17 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page.

Action-Not Available
Vendor-BUFFALO INC.
Product-wsr-2533dhpwsr-2533dhp3_firmwarewsr-a2533dhp3_firmwarewsr-2533dhp2wsr-2533dhpl2wsr-2533dhpl2_firmwarewsr-2533dhp3wsr-2533dhplswcr-1166ds_firmwarewsr-3200ax4b_firmwarewcr-1166dswsr-3200ax4swsr-2533dhp2_firmwarewsr-a2533dhp3wsr-2533dhplwsr-3200ax4bwsr-2533dhpl_firmwarewsr-3200ax4s_firmwarewsr-2533dhp_firmwarewsr-a2533dhp2wsr-2533dhpls_firmwarewsr-a2533dhp2_firmwareWSR-2533DHPL2WSR-2533DHPLWSR-A2533DHP3WSR-2533DHP3WSR-A2533DHP2WSR-3200AX4SWXR-5700AX7BWSR-2533DHPLSWCR-1166DSWSR-1166DHP2WSR-2533DHP2WXR-5700AX7SWSR-1166DHPWSR-2533DHPLBWSR-3200AX4BWSR-2533DHPWXR-11000XE12
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-42433
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-6.4||MEDIUM
EPSS-0.10% / 27.89%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-14 Feb, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N TL-WR841N(US)_V14_220121 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ated_tp service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17356.

Action-Not Available
Vendor-TP-Link Systems Inc.
Product-tl-wr841_firmwaretl-wr841nTL-WR841N
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-22223
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-8.5||HIGH
EPSS-0.09% / 25.15%
||
7 Day CHG~0.00%
Published-02 Feb, 2026 | 17:49
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability on TP-Link Archer BE230 v1.2

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

Action-Not Available
Vendor-TP-Link System Inc.TP-Link Systems Inc.
Product-archer_be230archer_be230_firmwareArcher BE230 v1.2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found