CVE-2024-22729
published 2024-01-25CVE-2024-22729: NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.78%
99.3th percentile
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netis-systems | mw5360_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authorization header bypass: the router's login page authorization can be bypassed by simply deleting the authorization header. Detect unauthenticated POST requests to /cgi-bin/skk_set.cgi lacking an Authorization header. ↗
- →Commands are injected into the 'password' parameter encoded in base64. Decode base64 values in the password POST parameter and inspect for shell metacharacters or OS commands (e.g., wget, curl). ↗
- →Nuclei template uses an out-of-band (interactsh) HTTP callback via a wget payload to confirm exploitation. Monitor for outbound HTTP/DNS requests from Netis MW5360 devices to unknown external hosts. ↗
- →Fingerprint vulnerable devices by checking for 'netis router' in the HTTP response body of the root page (GET /) before exploitation attempt. ↗
- ·All firmware versions up to V1.0.1.3442 are reported as vulnerable, not just the initially disclosed V1.0.1.3031. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vqxw-rw4p-r6vh: NETIS SYSTEMS MW5360 V1
ghsa_unreviewed·2024-01-25
CVE-2024-22729 [CRITICAL] CWE-77 GHSA-vqxw-rw4p-r6vh: NETIS SYSTEMS MW5360 V1
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
VulnCheck
netis-systems mw5360_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-22729 [CRITICAL] netis-systems mw5360_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
netis-systems mw5360_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
Affected: netis-systems mw5360_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-27&host_type=src&vulnerability=cve-2024-22729; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-28&host_type=src&vulnerability=cve-2024-22729; https://dashboard.shadowserver.org/statistics/honeypot/v
No detection rules found.
Metasploit
Netis router MW5360 unauthenticated RCE.
metasploit
Netis router MW5360 unauthenticated RCE.
Netis router MW5360 unauthenticated RCE.
Netis router MW5360 has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable. Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take control of the router.
Nuclei
Netis MW5360 V1.0.1.3031 - Command Injection
nuclei·CVSS 9.8
CVE-2024-22729 [CRITICAL] Netis MW5360 V1.0.1.3031 - Command Injection
Netis MW5360 V1.0.1.3031 - Command Injection
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
Template:
id: CVE-2024-22729
info:
name: Netis MW5360 V1.0.1.3031 - Command Injection
author: pussycat0x
severity: critical
description: |
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
impact: |
Unauthenticated attackers can execute arbitrary OS commands via the password parameter, potentially compromising the entire Netis router.
remediation: |
Update Netis MW5360 firmware to a version newer than V1.0.1.3031.
reference:
- https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20
No writeups or analysis indexed.
2024-01-25
Published
Exploited in the wild